diff --git a/bin/extra_opts.sh b/bin/extra_opts.sh index 76ce0c2..eed509b 100644 --- a/bin/extra_opts.sh +++ b/bin/extra_opts.sh @@ -16,7 +16,7 @@ fi extra_opts="--extra-vars admin=$admin" -for vault_id in kotovalexarian xuhcc +for vault_id in kotovalexarian xuhcc postgres matrix do if [ -f "$ROOT/secrets/$vault_id" ]; then extra_opts="$extra_opts --vault-id $vault_id@$ROOT/secrets/$vault_id" diff --git a/group_vars/postgres.yml b/group_vars/postgres.yml new file mode 100644 index 0000000..eb97d6d --- /dev/null +++ b/group_vars/postgres.yml @@ -0,0 +1,11 @@ +--- +common__certbot__post_hook: null +common__certbot__pre_hook: null + +common__iptables__drop_by_default: true + +postgresql_backups_dir: '/var/lib/postgresql/backups/12/main' + +postgresql_global_config_options: + - option: listen_addresses + value: '*' diff --git a/host_vars/matrix.crypto-libertarian.com.yml b/host_vars/matrix.crypto-libertarian.com.yml new file mode 100644 index 0000000..7355225 --- /dev/null +++ b/host_vars/matrix.crypto-libertarian.com.yml @@ -0,0 +1,180 @@ +--- +ansible_become_pass_for: + kotovalexarian: !vault | + $ANSIBLE_VAULT;1.2;AES256;kotovalexarian + 61643339313266356538643266316138633738616632633531383730383433633030656633383431 + 3335393862333133643030613131636232663434636164650a376464396333323662363037376164 + 38356164613536633139643333383362363531343933363661356532663838656336363166616638 + 3032303434366266330a376439396233363065323135613963633265373435636530646433343036 + 65663336353266323636633339313236353565353431363965303762643766356562313566383031 + 3536363333616139613738336566633937313539623536316666 + xuhcc: !vault | + $ANSIBLE_VAULT;1.2;AES256;xuhcc + 33613837643333393933646163323464336164353963353039323338366339343137356134353164 + 6135373037323262663461626430376134636433393037360a666435393133653763323834393530 + 38643437613437643939386232393762326536363532376266643034623833316137376233363962 + 3237346330633334630a613565623237616361623635343466303538613066653166316566616233 + 63623962363933656164623338346435346538646364383539383363346666393533 + +ansible_become_pass: "{{ ansible_become_pass_for[admin] }}" + +common__certbot__cert_name: 'matrix.crypto-libertarian.com' +common__certbot__cert_domains: + - 'matrix.crypto-libertarian.com' + - 'element.crypto-libertarian.com' +common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service' +common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true' + +common__nginx__state: install +common__nginx__remove_default: true + +matrix__site_host: 'crypto-libertarian.com' +matrix__base_host: 'matrix.crypto-libertarian.com' +matrix__web_host: 'element.crypto-libertarian.com' + +matrix__site_url: 'https://crypto-libertarian.com' +matrix__base_url: 'https://matrix.crypto-libertarian.com' +matrix__web_url: 'https://element.crypto-libertarian.com' + +matrix__admin_contact: 'mailto:kotovalexarian@gmail.com' +matrix__admin_user: '@kotovalexarian:crypto-libertarian.com' + +matrix__nginx__ssl_cert: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/fullchain.pem' +matrix__nginx__ssl_key: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/privkey.pem' + +matrix__synapse__pg_enable: true +matrix__synapse__pg_host: 'postgres.crypto-libertarian.com' +matrix__synapse__pg_username: 'matrix_synapse' +matrix__synapse__pg_database: 'matrix_synapse' + +matrix__synapse__pg_password: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 36666361363761366636626266613931326432313530356361643535396534623435393432386135 + 3366346639386430646334333361303565653436343335660a393766303963633761343738663836 + 61636264656534653934663835373934613963326563376435656634326633373263393735613932 + 3164633537313039380a396638626366333639393463376666353534653837313438613435396333 + 66303235616232343966336639313034383964623334663961313234376332333338343961313562 + 3366623965646237633733373165346366333436373139346435 + +matrix__synapse__signing_key: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 63353038343038626239333939363961393638343834316163316330376237626339303634613162 + 3934313537333630633931333930343264323639303537390a353532636532626433393132376138 + 35376235366533353763656331343034333431366333643934623537316665663730646532623039 + 3433336635643134300a373334623136396635363530646161323735336230363737333362383235 + 37646636346139366566666339616338346134373766373664316632373061333035643039336665 + 62373562326133653461373763383337623339303832626335396530373162303337313134346265 + 356230363135373266663736326238663931 + +matrix__synapse__reg_secret: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 66386664663864336530613438643534666361306331366639393261303933613430333934613833 + 6532383963306639616263616162353339633333343865350a666634323966373066643639616332 + 33346436323230386264343535376161376531376434626563373961636562343533303934363234 + 3033633366663030370a633566336136626138343930386237643736353166626334653364373162 + 63356337363962373331333865616663336634373133633165633833653166373939376231356439 + 63303839386134653333663462613136623937393162373465613233623931643039613339336462 + 346332383032363866643637376563376639 + +matrix__synapse__macaroon_secret: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 62653661363330626261303164636665336164383662343462373061356561326338343830306534 + 3339633839333036333561643438346562646636333539650a396565306430653965303765396537 + 63333437633964333236643239633561373332373365663835613437386139383333323364386462 + 6638346532306130620a626563326663333562313464346338626533666237616231666465653239 + 66336332663130623862396636373435303438383066313932653532333337316263613964343165 + 66656639666664323933316339396634613134356336383239353638643730636235633732333764 + 396330653436636161313939646233653834 + +matrix__synapse__form_secret: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 30386164303933346363353063653137366636636535393761383930336132396162623835656134 + 6563663236623163613865633638343530336337353261310a636636636639326162633933306131 + 66383137393839396164633638336564356562666462383935373961313964316165343232343839 + 3637623531363435610a356134316431343639336462333838373438323664643235346337663834 + 33366663666563613733386135316665323735626336333039383333313232313862623564643937 + 35643863343836656163653764353035326433653239393034386433663165663066343764613834 + 363666366630653364303235643064303031 + +matrix__synapse__recaptcha_public_key: '6LcJ26wZAAAAABVW68GFDaZn0RM1Ros6DUfkND_9' + +matrix__synapse__recaptcha_private_key: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 64663161393264383535653233343433613131393065626564613937306666373932636464383763 + 3464613232333631656535396431643037616636353231660a313936613636666663633437353530 + 34613433306136373131363862313161656637373936366163313966643762656136376331306133 + 3932306230633030340a633639643332313765333963356131376238313762343130303065613533 + 32363433373132623431663763646434353666333837663738363766383566313463313139623939 + 3330643537663461333330336266396531363763376236643061 + +matrix__media_repo__postgres: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 32343261616564383739383139636636306637616137366138623032303963363532326563303438 + 6263636534386534643539386138313965663533623935340a366531316136653131646137353566 + 30623962613061323939313230326433636330356436626366363464353762303832393332396536 + 3564376330383237310a643338663061636662343662346137333039636230666137656537383336 + 66383635323464623663303032303532393639313361646231323436613065373565623239376366 + 36613233626465376230646138356135636662663965373061616433656665356135616337386236 + 61316463386265336236346636626465353166373833336534343536313437306164663965646162 + 39353733353533353533306434353539383463346563656433313532376632343935653036393437 + 63386539326464346261393666326132383034623264663431313465343636376433343535356432 + 31633835356235376462656635383931363339353138353537326633393261313464383332393738 + 643434393863366439623237653737353439 + +matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' +matrix__media_repo__s3_bucket: 'crypto-libertarian-matrix-media-repo' + +matrix__media_repo__s3_access_key: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 35326162306233313937646565623563636538376464643739313462323535393366363262323565 + 3465623639303935623461336230646439663839343331320a663635343239366366623062346630 + 37626332323965383738366532313665383564366132383530613762643836333831393735666438 + 6132393437343464390a336339383439326338646137356634333534636236326438646433353965 + 63376165363038326337346139303961373565346265393836396439656131633263 + +matrix__media_repo__s3_access_secret: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 36316562306261323138663361353762393736343765346435633631353734663765343638383265 + 3132383663393161306464386336396265363962313764320a653862343933666461666134383434 + 38623661326462303962376535373862303235353131363361633736336231336536633338643233 + 3539663031633038360a316433343432663865393738366633376235653839326232663134303931 + 65363837313464616536333934353062353962363365353831623234363939636333616634323832 + 3466656664353839333966643333336432303435663232646664 + +matrix__static__user_id: '@1:crypto-libertarian.com' + +matrix__static__access_token: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 66626138616337666537383562623139356364633837376133326235396662306330663666336333 + 6538623736613538373235623866333066396539396138320a316363393664363332353138386261 + 34313935326433623763656433326533323233623738313063623938336664663230623033373032 + 3831393536313235300a313935313636353762346437633366336433343666383630373232616338 + 35346636343137356530373538303437306461393663393862356666326430363339333739653434 + 65343963653731626133343636633035393661373634373066633165356566623538663862376662 + 36343865643637306432656563626566666362393737666461316435666664323735323439653839 + 65353937393265356264316238356636376635356263623364363564616234616330646638323635 + 30326436656366336562393332386565616338643565316637343336663133373532636634323932 + 30333566363866313432366164613537353230356630383830653463623233316539326337316638 + 39356663343938356266373162333166366437303033643366313137323332643938626266303165 + 31636662663937613638366433316433393662386637623331383761393866336234633332306434 + 65363063636562633762373232323639393435623765376265613638616265353363636439373537 + 66633335303564656637653933363730366462363164306334386166663534333738356266626439 + 63393336333666616335656566653835393163656430333631386364396364313666333833633932 + 31663530646237376630366632336661316561336233636637333761363739343639363536626665 + 39376636373630383034393966316335363138643334396432346638633865383435313139663937 + 31336165666466613733326135656433633461653237396533643237353463363665646338663164 + 63316430663163303434346233316464386634623836373664336366313961353963663632666362 + 64626636376466333139 + +common__iptables__drop_by_default: true + +common__iptables__v4_filter: | + # Allow incoming HTTP, HTTPS, Matrix. + -A INPUT -p tcp -m multiport --dport 80,443,8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other HTTP, HTTPS, Matrix. + -A INPUT -p tcp -m multiport --dport 80,443,8448 -j REJECT + -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -j REJECT + +common__iptables__v6_filter: '{{ common__iptables__v4_filter }}' diff --git a/host_vars/postgres.crypto-libertarian.com.yml b/host_vars/postgres.crypto-libertarian.com.yml new file mode 100644 index 0000000..8c1948e --- /dev/null +++ b/host_vars/postgres.crypto-libertarian.com.yml @@ -0,0 +1,155 @@ +--- +ansible_become_pass_for: + kotovalexarian: !vault | + $ANSIBLE_VAULT;1.2;AES256;kotovalexarian + 61623634613531666632363233346539303131313038666132643464313263356162616661336339 + 6437356339396139346435636462613163396332313135620a383962643839393764616130663264 + 39363331653837376434613266623331333563343264383365336234666230633334313338623938 + 3562303035333732360a393931353339653539323732316137363532316234306461393265633763 + 64343336303765646239386265306435323230303764376439346530646138323137333461383766 + 3534613339653530643635316531356166313735623339613937 + xuhcc: !vault | + $ANSIBLE_VAULT;1.2;AES256;xuhcc + 33343933353961653437653139333435306663383434646339353763303530353731383438653337 + 3531393762396135366332396632653036346333623133650a306162326438333931303862383330 + 39626564333130623731343339663764643632323566393734346565353934656561386462326434 + 6538303365386631640a366330333135313464333962313638643465613836643037323833626131 + 39623562376439376665636537396339613462356131343763323437623334323463 + +ansible_become_pass: "{{ ansible_become_pass_for[admin] }}" + +common__certbot__cert_name: 'postgres.crypto-libertarian.com' +common__certbot__cert_domains: + - 'postgres.crypto-libertarian.com' + +postgresql_users: + - name: matrix_synapse + password: !vault | + $ANSIBLE_VAULT;1.2;AES256;postgres + 65363838636633623362663839303333346337646138333862373831343162343161356435336565 + 3032626439376630656338373464376463663935366134660a316136373261303331633836633937 + 30646533386163313136656138633437386366616234383265366261346636396130626333333235 + 3264356332336461320a323065616231663165613737646566336434663862306333393465366261 + 33373533393361356664343337353861313334623136353138643834336236306662383032316432 + 3336623036373964313036633434626239396139336666393361 + - name: matrix_media_repo + password: !vault | + $ANSIBLE_VAULT;1.2;AES256;postgres + 39386236643763333734653936616466376334636166646133653335626365373039356262376161 + 3439353138643533613166333562663134666539653431340a636231353663633033363034643232 + 63393063346332353765343961383730633266613532656234336266623538376332636361353932 + 6634626266333033330a626536333161663239353831306466323038373961663132306334386437 + 64376231643964363935633531643938616430396664393237613361626465373536643339656566 + 6233663734316163386434343332346364363362653934363162 + +postgresql_databases: + - name: matrix_synapse + owner: matrix_synapse + lc_collate: C + lc_ctype: C + - name: matrix_media_repo + owner: matrix_media_repo + lc_collate: C + lc_ctype: C + +postgresql_hba_entries: + - type: local + database: all + user: all + auth_method: peer + + - type: host + database: all + user: all + address: '127.0.0.1/32' + auth_method: md5 + + - type: host + database: all + user: all + address: '::1/128' + auth_method: md5 + + - type: hostssl + database: matrix_synapse + user: matrix_synapse + address: '134.209.196.172/32' + auth_method: md5 + + - type: hostssl + database: matrix_synapse + user: matrix_synapse + address: '2a03:b0c0:2:f0::142:3001/128' + auth_method: md5 + + - type: hostssl + database: matrix_synapse + user: matrix_synapse + address: '10.133.8.214/32' + auth_method: md5 + + - type: hostssl + database: matrix_media_repo + user: matrix_media_repo + address: '134.209.196.172/32' + auth_method: md5 + + - type: hostssl + database: matrix_media_repo + user: matrix_media_repo + address: '2a03:b0c0:2:f0::142:3001/128' + auth_method: md5 + + - type: hostssl + database: matrix_media_repo + user: matrix_media_repo + address: '10.133.8.214/32' + auth_method: md5 + + - type: host + database: all + user: all + address: '0.0.0.0/0' + auth_method: reject + + - type: host + database: all + user: all + address: '::/0' + auth_method: reject + +common__iptables__v4_filter: | + # Allow incoming HTTP for Certbot to work. + -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other HTTP. + -A INPUT -p tcp --dport 80 -j REJECT + -A OUTPUT -p tcp --dport 80 -j REJECT + + # Allow incoming PostgreSQL from specific hosts. + -A INPUT -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A INPUT -p tcp --dport 5432 -s 10.133.8.214/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other PostgreSQL. + -A INPUT -p tcp --dport 5432 -j REJECT + -A OUTPUT -p tcp --sport 5432 -j REJECT + +common__iptables__v6_filter: | + # Allow incoming HTTP for Certbot to work. + -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other HTTP. + -A INPUT -p tcp --dport 80 -j REJECT + -A OUTPUT -p tcp --dport 80 -j REJECT + + # Allow incoming PostgreSQL from specific hosts. + -A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other PostgreSQL. + -A INPUT -p tcp --dport 5432 -j REJECT + -A OUTPUT -p tcp --sport 5432 -j REJECT diff --git a/hosts b/hosts index aac8b41..bac7397 100644 --- a/hosts +++ b/hosts @@ -1 +1,6 @@ git.crypto-libertarian.com +matrix.crypto-libertarian.com +postgres.crypto-libertarian.com + +[postgres] +postgres.crypto-libertarian.com diff --git a/playbooks/backup/postgres.yml b/playbooks/backup/postgres.yml new file mode 100644 index 0000000..1af3b14 --- /dev/null +++ b/playbooks/backup/postgres.yml @@ -0,0 +1,13 @@ +--- +- hosts: postgres + tasks: + - name: Find PostgreSQL dumps + find: + paths: '{{ postgresql_backups_dir }}' + register: postgresql_dumps + + - name: Fetch PostgreSQL dumps + fetch: + src: '{{ item }}' + dest: ../../backups + with_items: "{{ postgresql_dumps.files | map(attribute='path') | list }}" diff --git a/playbooks/backup/site.yml b/playbooks/backup/site.yml index 7e6cca9..324b44c 100644 --- a/playbooks/backup/site.yml +++ b/playbooks/backup/site.yml @@ -1,2 +1,3 @@ --- - import_playbook: git.yml +- import_playbook: postgres.yml diff --git a/playbooks/deploy/matrix.yml b/playbooks/deploy/matrix.yml new file mode 100644 index 0000000..de26cdd --- /dev/null +++ b/playbooks/deploy/matrix.yml @@ -0,0 +1,11 @@ +--- +- hosts: matrix.crypto-libertarian.com + module_defaults: + apt: + force_apt_get: true + update_cache: true + cache_valid_time: 86400 + roles: + - name: kotovalexarian.common + tags: common + - ../../roles/matrix diff --git a/playbooks/deploy/postgres.yml b/playbooks/deploy/postgres.yml new file mode 100644 index 0000000..f56d413 --- /dev/null +++ b/playbooks/deploy/postgres.yml @@ -0,0 +1,19 @@ +--- +- hosts: postgres + module_defaults: + apt: + force_apt_get: true + update_cache: true + cache_valid_time: 86400 + roles: + - name: kotovalexarian.common + tags: common + - geerlingguy.postgresql + tasks: + - name: Create daily Cron job for PostgreSQL backup + template: + src: ../../templates/pg_backup + dest: /etc/cron.daily/pg_backup + mode: 'u=rwx,g=rx,o=rx' + owner: root + group: root diff --git a/playbooks/deploy/site.yml b/playbooks/deploy/site.yml index 7e6cca9..e354b76 100644 --- a/playbooks/deploy/site.yml +++ b/playbooks/deploy/site.yml @@ -1,2 +1,4 @@ --- - import_playbook: git.yml +- import_playbook: postgres.yml +- import_playbook: matrix.yml diff --git a/requirements.yml b/requirements.yml index 668fa7f..8918815 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,3 +1,5 @@ --- - src: kotovalexarian.common version: v0.0.45 +- src: geerlingguy.postgresql + version: 2.2.1 diff --git a/roles/matrix/defaults/main.yml b/roles/matrix/defaults/main.yml new file mode 100644 index 0000000..5adefde --- /dev/null +++ b/roles/matrix/defaults/main.yml @@ -0,0 +1,41 @@ +--- +matrix__site_host: 'example.com' +matrix__base_host: 'matrix.example.com' +matrix__web_host: 'element.example.com' + +matrix__site_url: 'https://example.com' +matrix__base_url: 'https://matrix.example.com' +matrix__web_url: 'https://element.example.com' + +matrix__admin_contact: 'mailto:user@example.com' +matrix__admin_user: '@user:example.com' + +matrix__base_ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem' +matrix__web_ssl_cert: '/etc/letsencrypt/live/element.example.com/fullchain.pem' + +matrix__base_ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem' +matrix__web_ssl_key: '/etc/letsencrypt/live/element.example.com/privkey.pem' + +matrix__synapse__pg_enable: false +matrix__synapse__pg_host: 'postgres.example.com' +matrix__synapse__pg_port: 5432 +matrix__synapse__pg_username: '' +matrix__synapse__pg_password: '' +matrix__synapse__pg_database: '' + +matrix__synapse__signing_key: '' +matrix__synapse__reg_secret: '' +matrix__synapse__macaroon_secret: '' +matrix__synapse__form_secret: '' + +matrix__synapse__recaptcha_public_key: '' +matrix__synapse__recaptcha_private_key: '' + +matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require' +matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' +matrix__media_repo__s3_access_key: '' +matrix__media_repo__s3_access_secret: '' +matrix__media_repo__s3_bucket: 'example-matrix-media-repo' + +matrix__static__user_id: '' +matrix__static__access_token: '' diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml new file mode 100644 index 0000000..ec9755c --- /dev/null +++ b/roles/matrix/handlers/main.yml @@ -0,0 +1,26 @@ +--- +- name: Restart Nginx + systemd: + name: nginx + state: restarted + +- name: Load, enable and restart Matrix Synapse + systemd: + name: '{{ matrix__synapse__service }}' + daemon_reload: true + enabled: true + state: restarted + +- name: Load, enable and restart Matrix Media Repo + systemd: + name: '{{ matrix__media_repo__service }}' + daemon_reload: true + enabled: true + state: restarted + +- name: Load, enable and restart Matrix Static + systemd: + name: '{{ matrix__static__service }}' + daemon_reload: true + enabled: true + state: restarted diff --git a/roles/matrix/tasks/common.yml b/roles/matrix/tasks/common.yml new file mode 100644 index 0000000..9d3c8cd --- /dev/null +++ b/roles/matrix/tasks/common.yml @@ -0,0 +1,21 @@ +--- +- name: Create Matrix directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: root + group: root + with_items: + - '{{ matrix__conf_dir }}' + - '{{ matrix__opt_dir }}' + - '{{ matrix__lib_dir }}' + - '{{ matrix__run_dir }}' + +- name: Recreate Matrix rundirs + template: + src: '../templates/tmpfiles.d/matrix.conf' + dest: '/etc/tmpfiles.d/matrix.conf' + mode: 'u=rw,g=r,o=r' + owner: root + group: root diff --git a/roles/matrix/tasks/element.yml b/roles/matrix/tasks/element.yml new file mode 100644 index 0000000..157a52e --- /dev/null +++ b/roles/matrix/tasks/element.yml @@ -0,0 +1,37 @@ +--- +- name: Create Matrix Element directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: root + group: root + with_items: + - '{{ matrix__element__opt_dir }}' + - '{{ matrix__element__src_dir }}' + +- name: Get Matrix Element source code + get_url: + url: '{{ matrix__element__url }}' + checksum: '{{ matrix__element__checksum }}' + dest: '{{ matrix__element__archive_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + +- name: Extract Matrix Element source code + unarchive: + remote_src: true + src: '{{ matrix__element__archive_file }}' + dest: '{{ matrix__element__src_dir }}' + creates: '{{ matrix__element__src_dir }}/index.html' + extra_opts: + - '--strip-components=1' + +- name: Create Matrix Element config + template: + src: '../templates/element/config.json' + dest: '{{ matrix__element__conf_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml new file mode 100644 index 0000000..3f7754c --- /dev/null +++ b/roles/matrix/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- include_tasks: common.yml +- meta: flush_handlers + +- include_tasks: nginx.yml +- meta: flush_handlers + +- include_tasks: synapse.yml +- meta: flush_handlers + +- include_tasks: media_repo.yml +- meta: flush_handlers + +- include_tasks: static.yml +- meta: flush_handlers + +- include_tasks: element.yml +- meta: flush_handlers diff --git a/roles/matrix/tasks/media_repo.yml b/roles/matrix/tasks/media_repo.yml new file mode 100644 index 0000000..95cc4f8 --- /dev/null +++ b/roles/matrix/tasks/media_repo.yml @@ -0,0 +1,66 @@ +--- +- name: Install system packages for Matrix Media Repo + apt: + name: golang + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo system group + group: + name: '{{ matrix__media_repo__group }}' + system: true + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo system user + user: + name: '{{ matrix__media_repo__user }}' + group: '{{ matrix__media_repo__group }}' + system: true + create_home: true + home: '{{ matrix__media_repo__lib_dir }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: '{{ matrix__media_repo__user }}' + group: '{{ matrix__media_repo__group }}' + with_items: + - '{{ matrix__media_repo__conf_dir }}' + - '{{ matrix__media_repo__opt_dir }}' + - '{{ matrix__media_repo__src_dir }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo config + template: + src: '../templates/media_repo/config.yaml' + dest: '{{ matrix__media_repo__conf_file }}' + mode: 'u=rw,g=rw,o=' + owner: '{{ matrix__media_repo__user }}' + group: '{{ matrix__media_repo__group }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo systemd service + template: + src: '../templates/media_repo/matrix-media-repo.service' + dest: '{{ matrix__media_repo__service_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Load, enable and restart Matrix Media Repo + +- name: Get Matrix Media Repo source code + become_user: '{{ matrix__media_repo__user }}' + git: + repo: 'https://github.com/turt2live/matrix-media-repo.git' + dest: '{{ matrix__media_repo__src_dir }}' + version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912' + +- name: Build Matrix Media Repo source code + become_user: '{{ matrix__media_repo__user }}' + command: + chdir: '{{ matrix__media_repo__src_dir }}' + creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo' + cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh' + notify: Load, enable and restart Matrix Media Repo diff --git a/roles/matrix/tasks/nginx.yml b/roles/matrix/tasks/nginx.yml new file mode 100644 index 0000000..0476f07 --- /dev/null +++ b/roles/matrix/tasks/nginx.yml @@ -0,0 +1,18 @@ +--- +- name: Create Nginx server configuration + template: + src: '../templates/nginx/matrix.conf' + dest: '/etc/nginx/sites-available/matrix.conf' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Restart Nginx + +- name: Enable Nginx server configuration + file: + state: link + src: '/etc/nginx/sites-available/matrix.conf' + dest: '/etc/nginx/sites-enabled/matrix.conf' + owner: root + group: root + notify: Restart Nginx diff --git a/roles/matrix/tasks/static.yml b/roles/matrix/tasks/static.yml new file mode 100644 index 0000000..052c266 --- /dev/null +++ b/roles/matrix/tasks/static.yml @@ -0,0 +1,108 @@ +--- +- name: Install system packages for Matrix Static + apt: + name: golang + notify: Load, enable and restart Matrix Static + +- name: Create Matrix Static system group + group: + name: '{{ matrix__static__group }}' + system: true + notify: Load, enable and restart Matrix Static + +- name: Create Matrix Static system user + user: + name: '{{ matrix__static__user }}' + group: '{{ matrix__static__group }}' + system: true + create_home: false + notify: Load, enable and restart Matrix Static + +- name: Create Matrix Static directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: '{{ matrix__static__user }}' + group: '{{ matrix__static__group }}' + with_items: + - '{{ matrix__static__conf_dir }}' + - '{{ matrix__static__opt_dir }}' + - '{{ matrix__static__src_dir }}' + - '{{ matrix__static__bin_dir }}' + notify: Load, enable and restart Matrix Static + +- name: Create Matrix Static config + template: + src: '../templates/static/config.json' + dest: '{{ matrix__static__conf_file }}' + mode: 'u=rw,g=rw,o=' + owner: '{{ matrix__static__user }}' + group: '{{ matrix__static__group }}' + notify: Load, enable and restart Matrix Static + +- name: Create Matrix Static systemd service + template: + src: '../templates/static/matrix-static.service' + dest: '{{ matrix__static__service_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Load, enable and restart Matrix Static + +- name: Get Matrix Static source code + get_url: + url: '{{ matrix__static__url }}' + checksum: '{{ matrix__static__checksum }}' + dest: '{{ matrix__static__archive_file }}' + mode: 'u=rw,g=rw,o=r' + owner: '{{ matrix__static__user }}' + group: '{{ matrix__static__group }}' + +- name: Extract Matrix Static source code + become_user: '{{ matrix__static__user }}' + unarchive: + remote_src: true + src: '{{ matrix__static__archive_file }}' + dest: '{{ matrix__static__src_dir }}' + creates: '{{ matrix__static__src_dir }}/README.md' + extra_opts: + - '--strip-components=1' + +- name: Get Quicktemplate source code + become_user: '{{ matrix__static__user }}' + git: + repo: 'https://github.com/valyala/quicktemplate.git' + dest: '{{ matrix__static__opt_dir }}/go-quicktemplate' + version: '1a0f4e9691adbb86df52cb2dd9adafa6a28585a0' + +- name: Install Quicktemplate + become_user: '{{ matrix__static__user }}' + command: + chdir: '{{ matrix__static__opt_dir }}/go-quicktemplate/qtc' + creates: '{{ matrix__static__opt_dir }}/go/bin/qtc' + cmd: 'go install .' + environment: + GOPATH: '{{ matrix__static__opt_dir }}/go' + GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' + +- name: Run Go executable qtc + become_user: '{{ matrix__static__user }}' + command: + chdir: '{{ matrix__static__src_dir }}' + creates: '{{ matrix__static__src_dir }}/templates/basepage.qtpl.go' + cmd: '{{ matrix__static__opt_dir }}/go/bin/qtc' + environment: + GOPATH: '{{ matrix__static__opt_dir }}/go' + GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' + +- name: Build Matrix Static source code + become_user: '{{ matrix__static__user }}' + command: + chdir: '{{ matrix__static__src_dir }}' + creates: '{{ matrix__static__bin_dir }}/matrix-static' + cmd: 'go build -o {{ matrix__static__bin_dir }} ./cmd/...' + environment: + GOPATH: '{{ matrix__static__opt_dir }}/go' + GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' + notify: Load, enable and restart Matrix Static diff --git a/roles/matrix/tasks/synapse.yml b/roles/matrix/tasks/synapse.yml new file mode 100644 index 0000000..f9c87ba --- /dev/null +++ b/roles/matrix/tasks/synapse.yml @@ -0,0 +1,145 @@ +--- +- name: Install system packages for Matrix Synapse + apt: + name: + - build-essential + - libffi-dev + - libjpeg-dev + - libpq-dev + - libpq5 + - libssl-dev + - libxml2-dev + - libxslt1-dev + - python3-dev + - python3-pip + - python3-setuptools + - sqlite3 + - virtualenv + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse system group + group: + name: '{{ matrix__synapse__group }}' + system: true + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse system user + user: + name: '{{ matrix__synapse__user }}' + group: '{{ matrix__synapse__group }}' + system: true + create_home: false + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: '{{ matrix__synapse__user }}' + group: '{{ matrix__synapse__group }}' + with_items: + - '{{ matrix__synapse__conf_dir }}' + - '{{ matrix__synapse__conf_subdir }}' + - '{{ matrix__synapse__opt_dir }}' + - '{{ matrix__synapse__lib_dir }}' + - '{{ matrix__synapse__run_dir }}' + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse config + template: + src: '../templates/synapse/config/{{ item }}.yaml' + dest: '{{ matrix__synapse__conf_subdir }}/{{ item }}.yaml' + mode: 'u=rw,g=rw,o=' + owner: '{{ matrix__synapse__user }}' + group: '{{ matrix__synapse__group }}' + notify: Load, enable and restart Matrix Synapse + with_items: + - other + - database + - acme + - listeners + - url_preview + - captcha + - turn + - media_store + +- name: Create Matrix Synapse log config + template: + src: '../templates/synapse/log_config.yml' + dest: '{{ matrix__synapse__log_conf_file }}' + mode: 'u=rw,g=rw,o=r' + owner: '{{ matrix__synapse__user }}' + group: '{{ matrix__synapse__group }}' + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse signing key + copy: + content: "{{ matrix__synapse__signing_key }}\n" + dest: '{{ matrix__synapse__key_file }}' + mode: 'u=rw,g=rw,o=' + owner: '{{ matrix__synapse__user }}' + group: '{{ matrix__synapse__group }}' + notify: Load, enable and restart Matrix Synapse + +- name: Create Python virtual env + become_user: '{{ matrix__synapse__user }}' + command: + argv: + - 'virtualenv' + - '{{ matrix__synapse__venv_dir }}' + - '-p' + - 'python3' + creates: '{{ matrix__synapse__venv_dir }}' + notify: Load, enable and restart Matrix Synapse + +- name: Check Python packages + command: + argv: + - '{{ matrix__synapse__venv_dir }}/bin/pip' + - 'show' + - '{{ item }}' + with_items: + - 'matrix-synapse' + - 'lxml' + - 'netaddr' + - 'pip' + - 'psycopg2' + - 'setuptools' + ignore_errors: true + changed_when: false + register: packages_info + +- name: Upgrade Python packages + become_user: '{{ matrix__synapse__user }}' + command: + argv: + - '{{ matrix__synapse__venv_dir }}/bin/pip' + - 'install' + - '--upgrade' + - 'pip' + - 'setuptools' + when: packages_info | json_query('results[*].rc') | difference([0]) != [] + notify: Load, enable and restart Matrix Synapse + +- name: Install Python packages + become_user: '{{ matrix__synapse__user }}' + command: + argv: + - '{{ matrix__synapse__venv_dir }}/bin/pip' + - 'install' + - 'matrix-synapse' + - 'lxml' + - 'netaddr' + - 'psycopg2' + when: packages_info | json_query('results[*].rc') | difference([0]) != [] + notify: Load, enable and restart Matrix Synapse + +- name: Create Matrix Synapse systemd service + template: + src: '../templates/synapse/matrix-synapse.service' + dest: '{{ matrix__synapse__service_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Load, enable and restart Matrix Synapse diff --git a/roles/matrix/templates/element/config.json b/roles/matrix/templates/element/config.json new file mode 100644 index 0000000..492cad6 --- /dev/null +++ b/roles/matrix/templates/element/config.json @@ -0,0 +1,59 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix-client.matrix.org", + "server_name": "matrix.org" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Element", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "defaultCountryCode": "GB", + "showLabsSettings": false, + "features": { + "feature_new_spinner": "labs", + "feature_pinning": "labs", + "feature_custom_status": "labs", + "feature_custom_tags": "labs", + "feature_state_counters": "labs" + }, + "default_federate": true, + "default_theme": "light", + "roomDirectory": { + "servers": [ + "matrix.org" + ] + }, + "welcomeUserId": "@riot-bot:matrix.org", + "piwik": { + "url": "https://piwik.riot.im/", + "whitelistedHSUrls": ["https://matrix.org"], + "whitelistedISUrls": ["https://vector.im", "https://matrix.org"], + "siteId": 1 + }, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "settingDefaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferredDomain": "jitsi.riot.im" + } +} diff --git a/roles/matrix/templates/media_repo/config.yaml b/roles/matrix/templates/media_repo/config.yaml new file mode 100644 index 0000000..19e01af --- /dev/null +++ b/roles/matrix/templates/media_repo/config.yaml @@ -0,0 +1,539 @@ +# General repo configuration +repo: + bindAddress: '127.0.0.1' + port: {{ matrix__media_repo__port }} + + # Where to store the logs, relative to where the repo is started from. Logs will be automatically + # rotated every day and held for 14 days. To disable the repo logging to files, set this to + # "-" (including quotation marks). + # + # Note: to change the log directory you'll have to restart the repository. This setting cannot be + # live reloaded. + logDirectory: '-' + + # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases + # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For + # header, but validates it to ensure the IP being given makes sense. + trustAnyForwardedAddress: false + + # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. + # Typically this should remain as true, though in some circumstances it may need to be disabled. + # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. + useForwardedHost: true + +# Options for dealing with federation +federation: + # On a per-host basis, the number of consecutive failures in calling the host before the + # media repo will back off. This defaults to 20 if not given. Note that 404 errors from + # the remote server do not count towards this. + backoffAt: 20 + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +database: + # Currently only "postgres" is supported. + postgres: "{{ matrix__media_repo__postgres }}" + + # The database pooling options + pool: + # The maximum number of connects to hold open. More of these allow for more concurrent + # processes to happen. + maxConnections: 25 + + # The maximum number of connects to leave idle. More of these reduces the time it takes + # to serve requests in low-traffic scenarios. + maxIdleConnections: 5 + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +homeservers: + - + # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + name: "{{ matrix__site_host }}" + + # The base URL to where the homeserver can actually be reached + csApi: "{{ matrix__base_url }}" + + # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + backoffAt: 10 + + # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". + adminApiKind: 'matrix' + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +accessTokens: + # The maximum time a cached access token will be considered valid. Set to zero (the default) + # to disable the cache and constantly hit the homeserver. This is recommended to be set to + # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and + # zero for servers who do not proxy the endpoints through. + maxCacheTimeSeconds: 0 + + # Whether or not to use the `appservices` config option below. If disabled (the default), + # the regular access token cache will be used for each user, potentially leading to high + # memory usage. + useLocalAppserviceConfig: false + + # The application services (and their namespaces) registered on the homeserver. Only used + # if `useLocalAppserviceConfig` is enabled (recommended). + # + # Usually the appservice will provide you with these config details - they'll just need + # translating from the appservice registration to here. Note that this does not require + # all options from the registration, and only requires the bare minimum required to run + # the media repo. + appservices: + - id: Name_of_appservice_for_your_reference + asToken: Secret_token_for_appservices_to_use + senderUserId: '@_example_bridge:yourdomain.com' + userNamespaces: + - regex: '@_example_bridge_.+:yourdomain.com' + # A note about regexes: it is best to suffix *all* namespaces with the homeserver + # domain users are valid for, as otherwise the appservice can use any user with + # any domain name it feels like, even if that domain is not configured with the + # media repo. This will lead to inaccurate reporting in the case of the media + # repo, and potentially leading to media being considered "remote". + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +admins: + - "{{ matrix__admin_user }}" + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +sharedSecretAuth: + # Set this to true to enable shared secret auth. + enabled: false + + # Use a secure value here to prevent unauthorized access to the media repository. + token: 'PutSomeRandomSecureValueHere' + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. When the media repo is looking +# to store new media (such as user uploads, thumbnails, etc) it will look for a datastore which +# is flagged as forUploads. It will try to use the smallest datastore first. +datastores: + - type: file + + # Enable this to set up data storage. + enabled: false + + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ['thumbnails'] + + opts: + path: /var/matrix/media + + - type: s3 + + # Enable this to set up s3 uploads + enabled: true + + forKinds: ['thumbnails', 'remote_media', 'local_media', 'archives'] + + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: '' + endpoint: "{{ matrix__media_repo__s3_endpoint }}" + accessKeyId: "{{ matrix__media_repo__s3_access_key }}" + accessSecret: "{{ matrix__media_repo__s3_access_secret }}" + ssl: true + bucketName: "{{ matrix__media_repo__s3_bucket }}" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: 'sfo2' + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + + # Enable this to use IPFS support + enabled: false + + forKinds: ['local_media'] + + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. +archiving: + # Whether archiving is enabled or not. Default enabled. + enabled: true + + # If true, users can request a copy of their own data. By default, only repository administrators + # can request a copy. + # This includes the ability for homeserver admins to request a copy of their own server's + # data, as known to the repo. + selfService: false + + # The number of bytes to target per archive before breaking up the files. This is independent + # of any file upload limits and will require a similar amount of memory when performing an export. + # The file size is also a target, not a guarantee - it is possible to have files that are smaller + # or larger than the target. This is recommended to be approximately double the size of your + # file upload limit, provided there is enough memory available for the demand of exporting. + targetBytesPerPart: 209715200 # 200mb default + +# The file upload settings for the media repository +uploads: + maxBytes: 104857600 # 100MB default, 0 to disable + + # The minimum number of bytes to let people upload + minBytes: 100 # 100 bytes by default + + # The number of bytes to claim as the maximum size for uploads for the limits API. If this + # is not provided then the maxBytes setting will be used instead. This is useful to provide + # if the media repo's settings and the reverse proxy do not match for maximum request size. + # This is purely for informational reasons and does not actually limit any functionality. + # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. + #reportedMaxBytes: 104857600 + + # An optional list of file types that are allowed to be uploaded. If */* or nothing is + # supplied here, then all file types are allowed. Asterisks (*) are wildcards and can be + # placed anywhere to match everything (eg: "image/*" matches all images). This will also + # restrict which file types are downloaded from remote servers. + # + # Caution: the media repo cannot tell the difference between encrypted media and arbitrary + # binary data. For this reason, this option is deprecated and to be removed in a future + # version. + allowedTypes: + - '*/*' + + # Specific users can have their own set of allowed file types. These are applied instead + # of those listed in the allowedTypes list when a user is found. Much like allowedTypes, + # asterisks may be used in the content types and may also be used in the user IDs. This + # allows for entire servers to have different allowed types by setting a rule similar to + # "@*:example.org". Users will be allowed to upload a file if the type matches any of + # the policies that match the user ID. + # + # Caution: the media repo cannot tell the difference between encrypted media and arbitrary + # binary data. For this reason, this option is deprecated and to be removed in a future + # version. + #exclusions: + # '@someone:example.org': + # - 'application/pdf' + # - 'application/vnd.ms-excel' + # '@*:example.org': + # - '*/*' + + +# Settings related to downloading files from the media repository +downloads: + # The maximum number of bytes to download from other servers + maxBytes: 104857600 # 100MB default, 0 to disable + + # The number of workers to use when downloading remote media. Raise this number if remote + # media is downloading slowly or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum download size + # Average memory usage is dependent on how many concurrent downloads your users are doing. + numWorkers: 10 + + # How long, in minutes, to cache errors related to downloading remote media. Once this time + # has passed, the media is able to be re-requested. + failureCacheMinutes: 5 + + # The cache control settings for downloads. This can help speed up downloads for users by + # keeping popular media in the cache. This cache is also used for thumbnails. + cache: + enabled: true + + # The maximum size of cache to have. Higher numbers are better. + maxSizeBytes: 1048576000 # 1GB default + + # The maximum file size to cache. This should normally be the same size as your maximum + # upload size. + maxFileSizeBytes: 104857600 # 100MB default + + # The number of minutes to track how many downloads a file gets + trackedMinutes: 30 + + # The number of downloads a file must receive in the window above (trackedMinutes) in + # order to be cached. + minDownloads: 5 + + # The minimum amount of time an item should remain in the cache. This prevents the cache + # from cycling out the file if it needs more room during this time. Note that the media + # repo regularly cleans out media which is past this point from the cache, so this number + # may need increasing depending on your use case. If the maxSizeBytes is reached for the + # media repo, and some cached items are still under this timer, new items will not be able + # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this + # timer. + minCacheTimeSeconds: 300 + + # The minimum amount of time an item should remain outside the cache once it is removed. + minEvictedTimeSeconds: 60 + + # How many days after a piece of remote content is downloaded before it expires. It can be + # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or + # negative to disable. Defaults to disabled. + expireAfterDays: 0 + +# URL Preview settings +urlPreviews: + enabled: true # If enabled, the preview_url routes will be accessible + maxPageSizeBytes: 10485760 # 10MB default, 0 to disable + + # If true, the media repository will try to provide previews for URLs with invalid or unsafe + # certificates. If false (the default), the media repo will fail requests to said URLs. + previewUnsafeCertificates: false + + # Note: URL previews are limited to a given number of words, which are then limited to a number + # of characters, taking off the last word if it needs to. This also applies for the title. + + numWords: 50 # The number of words to include in a preview (maximum) + maxLength: 200 # The maximum number of characters for a description + + numTitleWords: 30 # The maximum number of words to include in a preview's title + maxTitleLength: 150 # The maximum number of characters for a title + + # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are + # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be + # an image and the image's type must be allowed by the thumbnailer. + filePreviewTypes: + - 'image/*' + + # The number of workers to use when generating url previews. Raise this number if url + # previews are slow or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum page size + # Average memory usage is dependent on how many concurrent urls your users are previewing. + numWorkers: 10 + + # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they + # will be merged. URL previews will be disabled if neither is supplied. Each entry must be + # a CIDR range. + disallowedNetworks: + - '127.0.0.1/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + allowedNetworks: + # "Everything". The blacklist will help limit this. + # This is the default value for this field. + - '0.0.0.0/0' + + # How many days after a preview is generated before it expires and is deleted. The preview + # can be regenerated safely - this just helps free up some space in your database. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + + # The default Accept-Language header to supply when generating URL previews when one isn't + # supplied by the client. + # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language + defaultLanguage: 'en-US,en' + +# The thumbnail configuration for the media repository. +thumbnails: + # The maximum number of bytes an image can be before the thumbnailer refuses. + maxSourceBytes: 10485760 # 10MB default, 0 to disable + + # The number of workers to use when generating thumbnails. Raise this number if thumbnails + # are slow to generate or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum image source size + # Average memory usage is dependent on how many thumbnails are being generated by your users + numWorkers: 100 + + # All thumbnails are generated into one of the sizes listed here. The first size is used as + # the default for when no width or height is requested. The media repository will return + # either an exact match or the next largest size of thumbnail. + sizes: + - width: 32 + height: 32 + - width: 96 + height: 96 + - width: 320 + height: 240 + - width: 640 + height: 480 + - width: 800 + height: 600 + + # The content types to thumbnail when requested. Types that are not supported by the media repo + # will not be thumbnailed (adding application/json here won't work). Clients may still not request + # thumbnails for these types - this won't make clients automatically thumbnail these file types. + types: + - 'image/jpeg' + - 'image/jpg' + - 'image/png' + - 'image/gif' + - 'image/heif' + - 'image/webp' + #- 'image/svg+xml' # Be sure to have ImageMagick installed to thumbnail SVG files + + # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated + # thumbnails, set this to false. If disabled, regular thumbnails will be returned. + allowAnimated: true + + # Default to animated thumbnails, if available + defaultAnimated: false + + # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image + # is larger than this, the thumbnail will be generated as a static image. + maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable + + # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try + # and thumbnail animated content? Defaults to 0.5 (middle of animation). + stillFrame: 0.5 + + # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail + # can be regenerated safely - this just helps free up some space in your datastores. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + +# Controls for the rate limit functionality +rateLimit: + # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. + enabled: true + + # The number of requests per second before an IP will be rate limited. Must be a whole number. + requestsPerSecond: 1 + + # The number of requests an IP can send at once before the rate limit is actually considered. + burst: 10 + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +identicons: + enabled: true + +# The quarantine media settings. +quarantine: + # If true, when a thumbnail of quarantined media is requested an image will be returned. If no + # image is given in the thumbnailPath below then a generated image will be provided. This does + # not affect regular downloads of files. + replaceThumbnails: true + + # If true, when media which has been quarantined is requested an image will be returned. If + # no image is given in the thumbnailPath below then a generated image will be provided. This + # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with + # an image). + replaceDownloads: false + + # If provided, the given image will be returned as a thumbnail for media that is quarantined. + #thumbnailPath: '/path/to/thumbnail.png' + + # If true, administrators of the configured homeservers may quarantine media for their server + # only. Global administrators can quarantine any media (local or remote) regardless of this + # flag. + allowLocalAdmins: true + +# The various timeouts that the media repo will use. +timeouts: + # The maximum amount of time the media repo should spend trying to fetch a resource that is + # being previewed. + urlPreviewTimeoutSeconds: 10 + + # The maximum amount of time the media repo will spend making remote requests to other repos + # or homeservers. This is primarily used to download media. + federationTimeoutSeconds: 120 + + # The maximum amount of time the media repo will spend talking to your configured homeservers. + # This is usually used to verify a user's identity. + clientServerTimeoutSeconds: 30 + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json +metrics: + # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. + enabled: false + + # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. + bindAddress: '127.0.0.1' + + # The port to listen on. Cannot be the same as the general web server port. + port: 9000 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +featureSupport: + # MSC2248 - Blurhash + MSC2448: + # Whether or not this MSC is enabled for use in the media repo + enabled: false + + # Maximum dimensions for converting a blurhash to an image. When no width and + # height options are supplied, the default will be half these values. + maxWidth: 1024 + maxHeight: 1024 + + # Thumbnail size in pixels to use to generate the blurhash string + thumbWidth: 64 + thumbHeight: 64 + + # The X and Y components to use. Higher numbers blur less, lower numbers blur more. + xComponents: 4 + yComponents: 3 + + # The amount of contrast to apply when converting a blurhash to an image. Lower values + # make the effect more subtle, larger values make it stronger. + punch: 1 + + # IPFS Support + # This is currently experimental and might not work at all. + IPFS: + # Whether or not IPFS support is enabled for use in the media repo. + enabled: false + + # Options for the built in IPFS daemon + builtInDaemon: + # Enable this to spawn an in-process IPFS node to use instead of a localhost + # HTTP agent. If this is disabled, the media repo will assume you have an HTTP + # IPFS agent running and accessible. Defaults to using a daemon (true). + enabled: true + + # If the Daemon is enabled, set this to the location where the IPFS files should + # be stored. If you're using Docker, this should be something like "/data/ipfs" + # so it can be mapped to a volume. + repoPath: './ipfs' diff --git a/roles/matrix/templates/media_repo/matrix-media-repo.service b/roles/matrix/templates/media_repo/matrix-media-repo.service new file mode 100644 index 0000000..bc3c8c5 --- /dev/null +++ b/roles/matrix/templates/media_repo/matrix-media-repo.service @@ -0,0 +1,18 @@ +[Unit] +After=network.target +Description=Matrix Media Repo + +[Service] +ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }} +Group={{ matrix__media_repo__group }} +Restart=always +RestartSec=1 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier={{ matrix__media_repo__service }} +Type=simple +User={{ matrix__media_repo__user }} +WorkingDirectory={{ matrix__media_repo__opt_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix/templates/nginx/matrix.conf b/roles/matrix/templates/nginx/matrix.conf new file mode 100644 index 0000000..1d54acb --- /dev/null +++ b/roles/matrix/templates/nginx/matrix.conf @@ -0,0 +1,140 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ matrix__base_host }} {{ matrix__web_host }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'none';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ matrix__web_host }}; + + ssl_certificate {{ matrix__nginx__ssl_cert }}; + ssl_certificate_key {{ matrix__nginx__ssl_key }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'self';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + + client_max_body_size 100M; + + if_modified_since off; + expires off; + etag off; + sendfile off; + + root {{ matrix__element__src_dir }}; + index index.html; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ matrix__base_host }}; + + ssl_certificate {{ matrix__nginx__ssl_cert }}; + ssl_certificate_key {{ matrix__nginx__ssl_key }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'none';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + client_max_body_size 100M; + + location /_matrix/media { + proxy_read_timeout 60s; + proxy_set_header Host {{ matrix__site_host }}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix__media_repo__port }}; + } + + location /_matrix { + proxy_read_timeout 60s; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix__synapse__port }}; + } + + location / { + proxy_read_timeout 60s; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix__static__port }}; + } +} + +server { + listen 8448 ssl; + listen [::]:8448 ssl; + + server_name {{ matrix__base_host }}; + + ssl_certificate {{ matrix__nginx__ssl_cert }}; + ssl_certificate_key {{ matrix__nginx__ssl_key }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'none';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + client_max_body_size 100M; + + location /_matrix/media { + proxy_read_timeout 60s; + proxy_set_header Host {{ matrix__site_host }}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix__media_repo__port }}; + } + + location / { + proxy_read_timeout 60s; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix__synapse__port }}; + } +} diff --git a/roles/matrix/templates/static/config.json b/roles/matrix/templates/static/config.json new file mode 100644 index 0000000..14997ce --- /dev/null +++ b/roles/matrix/templates/static/config.json @@ -0,0 +1,7 @@ +{ + "access_token": "{{ matrix__static__access_token }}", + "device_id": "guest_device", + "home_server": "{{ matrix__base_url }}", + "refresh_token": "", + "user_id": "{{ matrix__static__user_id }}" +} diff --git a/roles/matrix/templates/static/matrix-static.service b/roles/matrix/templates/static/matrix-static.service new file mode 100644 index 0000000..810375d --- /dev/null +++ b/roles/matrix/templates/static/matrix-static.service @@ -0,0 +1,19 @@ +[Unit] +After=network.target +Description=Matrix Static + +[Service] +Environment=PORT={{ matrix__static__port }} +ExecStart={{ matrix__static__opt_dir }}/bin/matrix-static --config-file {{ matrix__static__conf_file }} +Group={{ matrix__static__group }} +Restart=always +RestartSec=1 +StandardOutput=syslog +StandatdError=syslog +SyslogIdentifier={{ matrix__static__service }} +Type=simple +User={{ matrix__static__user }} +WorkingDirectory={{ matrix__static__src_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix/templates/synapse/config/acme.yaml b/roles/matrix/templates/synapse/config/acme.yaml new file mode 100644 index 0000000..0539a36 --- /dev/null +++ b/roles/matrix/templates/synapse/config/acme.yaml @@ -0,0 +1,73 @@ +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Set this to `true` and uncomment + # tls_certificate_path and tls_private_key_path above to enable it. + # + enabled: false + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + account_key_file: /etc/matrix/synapse/acme_account.key diff --git a/roles/matrix/templates/synapse/config/captcha.yaml b/roles/matrix/templates/synapse/config/captcha.yaml new file mode 100644 index 0000000..f59181a --- /dev/null +++ b/roles/matrix/templates/synapse/config/captcha.yaml @@ -0,0 +1,23 @@ +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_public_key: '{{ matrix__synapse__recaptcha_public_key }}' + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_private_key: '{{ matrix__synapse__recaptcha_private_key }}' + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +enable_registration_captcha: true + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" diff --git a/roles/matrix/templates/synapse/config/database.yaml b/roles/matrix/templates/synapse/config/database.yaml new file mode 100644 index 0000000..3f371d7 --- /dev/null +++ b/roles/matrix/templates/synapse/config/database.yaml @@ -0,0 +1,55 @@ +## Database ## + +# The 'database' setting defines the database that synapse uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# database: /path/to/homeserver.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# args: +# user: synapse +# password: secretpassword +# database: synapse +# host: localhost +# cp_min: 5 +# cp_max: 10 +# +# For more information on using Synapse with Postgres, see `docs/postgres.md`. +# +{% if not matrix__synapse__pg_enable %} +database: + name: sqlite3 + args: + database: '{{ matrix__synapse__db_file }}' +{% else %} +database: + name: psycopg2 + args: + host: '{{ matrix__synapse__pg_host }}' + port: {{ matrix__synapse__pg_port }} + user: '{{ matrix__synapse__pg_username }}' + password: '{{ matrix__synapse__pg_password }}' + database: '{{ matrix__synapse__pg_database }}' + cp_min: 5 + cp_max: 10 +{% endif %} diff --git a/roles/matrix/templates/synapse/config/listeners.yaml b/roles/matrix/templates/synapse/config/listeners.yaml new file mode 100644 index 0000000..352ec58 --- /dev/null +++ b/roles/matrix/templates/synapse/config/listeners.yaml @@ -0,0 +1,102 @@ +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP comression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + # + # Disabled by default. To enable it, uncomment the following. (Note that you + # will also need to give Synapse a TLS key and certificate: see the TLS section + # below.) + # + #- port: 8448 + # type: http + # tls: true + # resources: + # - names: [client, federation] + + # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + # + # If you plan to use a reverse proxy, please see + # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. + # + - port: {{ matrix__synapse__port }} + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + + resources: + - names: [client, federation] + compress: false + + # example additional_resources: + # + #additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # + #- port: 9000 + # bind_addresses: ['::1', '127.0.0.1'] + # type: manhole diff --git a/roles/matrix/templates/synapse/config/media_store.yaml b/roles/matrix/templates/synapse/config/media_store.yaml new file mode 100644 index 0000000..4d29570 --- /dev/null +++ b/roles/matrix/templates/synapse/config/media_store.yaml @@ -0,0 +1,59 @@ +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: '{{ matrix__synapse__media_dir }}' + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +max_upload_size: 100M + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale diff --git a/roles/matrix/templates/synapse/config/other.yaml b/roles/matrix/templates/synapse/config/other.yaml new file mode 100644 index 0000000..d33c88b --- /dev/null +++ b/roles/matrix/templates/synapse/config/other.yaml @@ -0,0 +1,1752 @@ +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +# +server_name: '{{ matrix__site_host }}' + +# When running as a daemon, the file to store the pid in +# +pid_file: '{{ matrix__synapse__pid_file }}' + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# +public_baseurl: '{{ matrix__base_url }}' + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +# +#use_presence: false + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +# +#require_auth_for_profile_requests: true + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: true + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: true + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +#default_room_version: "5" + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: true + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com + +# Prevent federation requests from being sent to the following +# blacklist IP address CIDR ranges. If this option is not specified, or +# specified with an empty list, no ip range blacklist will be enforced. +# +# As of Synapse v1.4.0 this option also affects any outbound requests to identity +# servers provided by user input. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +federation_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +admin_contact: '{{ matrix__admin_contact }}' + +# Global blocking +# +#hs_disabled: false +#hs_disabled_message: 'Human readable reason for why the HS is blocked' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# anabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +# 'mau_limit_alerting' is a means of limiting client side alerting +# should the mau limit be reached. This is useful for small instances +# where the admin has 5 mau seats (say) for 5 specific people and no +# interest increasing the mau limit further. Defaults to True, which +# means that alerting is enabled +# +#limit_usage_by_mau: false +#max_mau_value: 50 +#mau_trial_days: 2 +#mau_limit_alerting: false + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: false + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +#redaction_retention_period: 28d + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, a user won't be able to send a + # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' + # that's not within this range. This is especially useful in closed federations, + # in which server admins can make sure every federating server applies the same + # rules. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + #purge_jobs: + # - shortest_max_lifetime: 1d + # longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # longest_max_lifetime: 1y + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# +#tls_certificate_path: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem' + +# PEM-encoded private key for TLS +# +#tls_private_key_path: '/etc/letsencrypt/live/matrix.example.com/privkey.pem' + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +#tls_fingerprints: [{"sha256": ""}] + + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +#event_cache_size: 10K + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + #global_factor: 1.0 + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: '{{ matrix__synapse__log_conf_file }}' + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 + + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: true + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' + +# Enable 3PIDs lookup requests to identity servers from this server. +# +enable_3pid_lookup: false + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: '{{ matrix__synapse__reg_secret }}' + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: true + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# The list of identity servers trusted to verify third party +# identifiers by this server. +# +# Also defines the ID server which will be called when an account is +# deactivated (one will be picked arbitrarily). +# +# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity +# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a +# background migration script, informing itself that the identity server all of its +# 3PIDs have been bound to is likely one of the below. +# +# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and +# it is now solely used for the purposes of the background migration script, and can be +# removed once it has run. +#trusted_third_party_id_servers: +# - matrix.org +# - vector.im + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless. This is due to Synapse currently not supporting any +# method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + #email: https://example.com # Delegate email sending to example.com + #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms +# +#auto_join_rooms: +# - "#example:example.com" + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +#autocreate_auto_join_rooms: true + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +#enable_metrics: false + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +#sentry: +# dsn: "..." + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: true + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" + + +# A list of application service config files to use +# +#app_service_config_files: +# - app_service_1.yaml +# - app_service_2.yaml + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: true + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: '{{ matrix__synapse__macaroon_secret }}' + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: '{{ matrix__synapse__form_secret }}' + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: '{{ matrix__synapse__key_file }}' + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: + - server_name: 'matrix.org' + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# (You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + #sp_config: + # # point this to the IdP's metadata. You can use either a local file or + # # (preferably) a URL. + # metadata: + # #local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + # + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/opt/synapse/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 5 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to display to users if something goes wrong during the + # authentication process: 'saml_error.html'. + # + # When rendering, this template is given the following variables: + # * code: an HTML error code corresponding to the error that is being + # returned (typically 400 or 500) + # + # * msg: a textual message describing the error. + # + # The variables will automatically be HTML-escaped. + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# OpenID Connect integration. The following settings can be used to make Synapse +# use an OpenID Connect Provider for authentication, instead of its internal +# password database. +# +# See https://github.com/matrix-org/synapse/blob/master/openid.md. +# +oidc_config: + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true + + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false + + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post + + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider +{% raw %} + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. + # + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID. + # + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token + # + # This must be configured if using the default mapping provider. + # + localpart_template: "{{ user.preferred_username }}" + + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # + #display_name_template: "{{ user.given_name }} {{ user.last_name }}" +{% endraw %} + + + +# Enable CAS for registration and login. +# +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #displayname_attribute: name +# #required_attributes: +# # name: value + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +#jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + #localdb_enabled: false + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + #pepper: "EVEN_MORE_SECRET" + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + + +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + + # app_name defines the default value for '%(app)s' in notif_from. It + # defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + + # Uncomment the following to enable sending emails for messages that the user + # has missed. Disabled by default. + # + #enable_notifs: true + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in the password reset email: 'password_reset_success.html' and + # 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. +# +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] + + +# Uncomment to allow non-server-admin users to create groups on this server +# +#enable_group_creation: true + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to +# rebuild the user_directory search indexes, see +# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md +# +user_directory: + enabled: true + search_all_users: true + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: true +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: false +# policy_name: Privacy Policy +# + + + +# Local statistics collection. Used in populating the room directory. +# +# 'bucket_size' controls how large each statistics timeslice is. It can +# be defined in a human readable short form -- e.g. "1d", "1y". +# +# 'retention' controls how long historical statistics will be kept for. +# It can be defined in a human readable short form -- e.g. "1d", "1y". +# +# +#stats: +# enabled: true +# bucket_size: 1d +# retention: 1y + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches agaisnt the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By defult, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/1.13/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + + # Logging whether spans were started and reported + # + # logging: + # false diff --git a/roles/matrix/templates/synapse/config/turn.yaml b/roles/matrix/templates/synapse/config/turn.yaml new file mode 100644 index 0000000..c1fd306 --- /dev/null +++ b/roles/matrix/templates/synapse/config/turn.yaml @@ -0,0 +1,29 @@ +{} + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +#turn_uris: [] + +# The shared secret used to compute passwords for the TURN server +# +#turn_shared_secret: "YOUR_SHARED_SECRET" + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +#turn_allow_guests: true diff --git a/roles/matrix/templates/synapse/config/url_preview.yaml b/roles/matrix/templates/synapse/config/url_preview.yaml new file mode 100644 index 0000000..c774b94 --- /dev/null +++ b/roles/matrix/templates/synapse/config/url_preview.yaml @@ -0,0 +1,104 @@ +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: true + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +url_preview_url_blacklist: + # blacklist any URL with a username in its URI + - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +#max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: + - ru + - en;q=0.9 diff --git a/roles/matrix/templates/synapse/log_config.yml b/roles/matrix/templates/synapse/log_config.yml new file mode 100644 index 0000000..e6618e1 --- /dev/null +++ b/roles/matrix/templates/synapse/log_config.yml @@ -0,0 +1,35 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.logging.context.LoggingContextFilter + request: '' + +handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + handlers: [console] + +disable_existing_loggers: false diff --git a/roles/matrix/templates/synapse/matrix-synapse.service b/roles/matrix/templates/synapse/matrix-synapse.service new file mode 100644 index 0000000..381f496 --- /dev/null +++ b/roles/matrix/templates/synapse/matrix-synapse.service @@ -0,0 +1,18 @@ +[Unit] +After=network.target +Description=Matrix Synapse + +[Service] +ExecStart={{ matrix__synapse__venv_dir }}/bin/synctl --no-daemonize start {{ matrix__synapse__conf_subdir }} +Group={{ matrix__synapse__group }} +Restart=always +RestartSec=1 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier={{ matrix__synapse__service }} +Type=simple +User={{ matrix__synapse__user }} +WorkingDirectory={{ matrix__synapse__opt_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix/templates/tmpfiles.d/matrix.conf b/roles/matrix/templates/tmpfiles.d/matrix.conf new file mode 100644 index 0000000..2ad0653 --- /dev/null +++ b/roles/matrix/templates/tmpfiles.d/matrix.conf @@ -0,0 +1,2 @@ +d {{ matrix__run_dir }} 0775 root root +d {{ matrix__synapse__run_dir }} 0775 matrix-synapse matrix-synapse diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml new file mode 100644 index 0000000..a101650 --- /dev/null +++ b/roles/matrix/vars/main.yml @@ -0,0 +1,66 @@ +--- +matrix__synapse__user: 'matrix-synapse' +matrix__synapse__group: 'matrix-synapse' +matrix__synapse__service: 'matrix-synapse' + +matrix__media_repo__user: 'matrix-media-repo' +matrix__media_repo__group: 'matrix-media-repo' +matrix__media_repo__service: 'matrix-media-repo' + +matrix__static__user: 'matrix-static' +matrix__static__group: 'matrix-static' +matrix__static__service: 'matrix-static' + +matrix__synapse__port: 8001 +matrix__media_repo__port: 8002 +matrix__static__port: 8003 + +matrix__conf_dir: '/etc/matrix' +matrix__opt_dir: '/opt/matrix' +matrix__lib_dir: '/var/lib/matrix' +matrix__run_dir: '/var/run/matrix' + +matrix__synapse__conf_dir: '{{ matrix__conf_dir }}/synapse' +matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse' +matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse' +matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse' + +matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo' +matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo' +matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo' + +matrix__static__conf_dir: '{{ matrix__conf_dir }}/static' +matrix__static__opt_dir: '{{ matrix__opt_dir }}/static' + +matrix__element__opt_dir: '{{ matrix__opt_dir }}/element' + +matrix__synapse__conf_subdir: '{{ matrix__synapse__conf_dir }}/config' +matrix__synapse__log_conf_file: '{{ matrix__synapse__conf_dir }}/log_config.yml' +matrix__synapse__key_file: '{{ matrix__synapse__conf_dir }}/signing_key' +matrix__synapse__venv_dir: '{{ matrix__synapse__opt_dir }}/venv' +matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store' +matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db' +matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid' + +matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml' +matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz' +matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src' + +matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json' +matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz' +matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src' +matrix__static__bin_dir: '{{ matrix__static__opt_dir }}/bin' + +matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz' +matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src' +matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json' + +matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service' +matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service' +matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service' + +matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz' +matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz' + +matrix__static__checksum: 'sha256:6de2b7360b2deaef7c011acebd061d6bcdae3799ee40a2f7f371744920aa45eb' +matrix__element__checksum: 'sha256:5e69f862529d429d2d9064de210c16364de48cd38d0ef8ee9a099c096071b5ab' diff --git a/templates/pg_backup b/templates/pg_backup new file mode 100644 index 0000000..6a4c1a7 --- /dev/null +++ b/templates/pg_backup @@ -0,0 +1,4 @@ +#!/bin/sh -e + +sudo -u postgres sh -e -c "test -d {{ postgresql_backups_dir }} && find {{ postgresql_backups_dir }} -type f -mtime +7 -exec rm {} \;" +sudo -u postgres sh -e -c "mkdir -p {{ postgresql_backups_dir }} && umask 077 && pg_dumpall | gzip > {{ postgresql_backups_dir }}/$(TZ=UTC date +"%Y_%m_%d_%H_%M_%S").gz"