kotovalexarian/fedihub-ansible
Archived
1
0
Fork 0
Code Activity

Revert "Remove hosts"

Browse source 
This reverts commit b11f609d18.
This commit is contained in:
Alex Kotov 2020-10-09 16:50:47 +05:00
parent b11f609d18
commit 5f9a788354
Signed by: kotovalexarian
GPG key ID: 553C0EBBEB5D5F08
39 changed files with 3984 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/extra_opts.sh
View file

@ -16,7 +16,7 @@ fi
extra_opts="--extra-vars admin=$admin"
for vault_id in kotovalexarian xuhcc
for vault_id in kotovalexarian xuhcc postgres matrix
do
if [ -f "$ROOT/secrets/$vault_id" ]; then
extra_opts="$extra_opts --vault-id $vault_id@$ROOT/secrets/$vault_id"

11
group_vars/postgres.yml Normal file
View file

@ -0,0 +1,11 @@
---
common__certbot__post_hook: null
common__certbot__pre_hook: null
common__iptables__drop_by_default: true
postgresql_backups_dir: '/var/lib/postgresql/backups/12/main'
postgresql_global_config_options:
- option: listen_addresses
value: '*'

180
host_vars/matrix.crypto-libertarian.com.yml Normal file
View file

@ -0,0 +1,180 @@
---
ansible_become_pass_for:
kotovalexarian: !vault |
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
61643339313266356538643266316138633738616632633531383730383433633030656633383431
3335393862333133643030613131636232663434636164650a376464396333323662363037376164
38356164613536633139643333383362363531343933363661356532663838656336363166616638
3032303434366266330a376439396233363065323135613963633265373435636530646433343036
65663336353266323636633339313236353565353431363965303762643766356562313566383031
3536363333616139613738336566633937313539623536316666
xuhcc: !vault |
$ANSIBLE_VAULT;1.2;AES256;xuhcc
33613837643333393933646163323464336164353963353039323338366339343137356134353164
6135373037323262663461626430376134636433393037360a666435393133653763323834393530
38643437613437643939386232393762326536363532376266643034623833316137376233363962
3237346330633334630a613565623237616361623635343466303538613066653166316566616233
63623962363933656164623338346435346538646364383539383363346666393533
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
common__certbot__cert_name: 'matrix.crypto-libertarian.com'
common__certbot__cert_domains:
- 'matrix.crypto-libertarian.com'
- 'element.crypto-libertarian.com'
common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true'
common__nginx__state: install
common__nginx__remove_default: true
matrix__site_host: 'crypto-libertarian.com'
matrix__base_host: 'matrix.crypto-libertarian.com'
matrix__web_host: 'element.crypto-libertarian.com'
matrix__site_url: 'https://crypto-libertarian.com'
matrix__base_url: 'https://matrix.crypto-libertarian.com'
matrix__web_url: 'https://element.crypto-libertarian.com'
matrix__admin_contact: 'mailto:kotovalexarian@gmail.com'
matrix__admin_user: '@kotovalexarian:crypto-libertarian.com'
matrix__nginx__ssl_cert: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/fullchain.pem'
matrix__nginx__ssl_key: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/privkey.pem'
matrix__synapse__pg_enable: true
matrix__synapse__pg_host: 'postgres.crypto-libertarian.com'
matrix__synapse__pg_username: 'matrix_synapse'
matrix__synapse__pg_database: 'matrix_synapse'
matrix__synapse__pg_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
36666361363761366636626266613931326432313530356361643535396534623435393432386135
3366346639386430646334333361303565653436343335660a393766303963633761343738663836
61636264656534653934663835373934613963326563376435656634326633373263393735613932
3164633537313039380a396638626366333639393463376666353534653837313438613435396333
66303235616232343966336639313034383964623334663961313234376332333338343961313562
3366623965646237633733373165346366333436373139346435
matrix__synapse__signing_key: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
63353038343038626239333939363961393638343834316163316330376237626339303634613162
3934313537333630633931333930343264323639303537390a353532636532626433393132376138
35376235366533353763656331343034333431366333643934623537316665663730646532623039
3433336635643134300a373334623136396635363530646161323735336230363737333362383235
37646636346139366566666339616338346134373766373664316632373061333035643039336665
62373562326133653461373763383337623339303832626335396530373162303337313134346265
356230363135373266663736326238663931
matrix__synapse__reg_secret: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
66386664663864336530613438643534666361306331366639393261303933613430333934613833
6532383963306639616263616162353339633333343865350a666634323966373066643639616332
33346436323230386264343535376161376531376434626563373961636562343533303934363234
3033633366663030370a633566336136626138343930386237643736353166626334653364373162
63356337363962373331333865616663336634373133633165633833653166373939376231356439
63303839386134653333663462613136623937393162373465613233623931643039613339336462
346332383032363866643637376563376639
matrix__synapse__macaroon_secret: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
62653661363330626261303164636665336164383662343462373061356561326338343830306534
3339633839333036333561643438346562646636333539650a396565306430653965303765396537
63333437633964333236643239633561373332373365663835613437386139383333323364386462
6638346532306130620a626563326663333562313464346338626533666237616231666465653239
66336332663130623862396636373435303438383066313932653532333337316263613964343165
66656639666664323933316339396634613134356336383239353638643730636235633732333764
396330653436636161313939646233653834
matrix__synapse__form_secret: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
30386164303933346363353063653137366636636535393761383930336132396162623835656134
6563663236623163613865633638343530336337353261310a636636636639326162633933306131
66383137393839396164633638336564356562666462383935373961313964316165343232343839
3637623531363435610a356134316431343639336462333838373438323664643235346337663834
33366663666563613733386135316665323735626336333039383333313232313862623564643937
35643863343836656163653764353035326433653239393034386433663165663066343764613834
363666366630653364303235643064303031
matrix__synapse__recaptcha_public_key: '6LcJ26wZAAAAABVW68GFDaZn0RM1Ros6DUfkND_9'
matrix__synapse__recaptcha_private_key: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
64663161393264383535653233343433613131393065626564613937306666373932636464383763
3464613232333631656535396431643037616636353231660a313936613636666663633437353530
34613433306136373131363862313161656637373936366163313966643762656136376331306133
3932306230633030340a633639643332313765333963356131376238313762343130303065613533
32363433373132623431663763646434353666333837663738363766383566313463313139623939
3330643537663461333330336266396531363763376236643061
matrix__media_repo__postgres: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
32343261616564383739383139636636306637616137366138623032303963363532326563303438
6263636534386534643539386138313965663533623935340a366531316136653131646137353566
30623962613061323939313230326433636330356436626366363464353762303832393332396536
3564376330383237310a643338663061636662343662346137333039636230666137656537383336
66383635323464623663303032303532393639313361646231323436613065373565623239376366
36613233626465376230646138356135636662663965373061616433656665356135616337386236
61316463386265336236346636626465353166373833336534343536313437306164663965646162
39353733353533353533306434353539383463346563656433313532376632343935653036393437
63386539326464346261393666326132383034623264663431313465343636376433343535356432
31633835356235376462656635383931363339353138353537326633393261313464383332393738
643434393863366439623237653737353439
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
matrix__media_repo__s3_bucket: 'crypto-libertarian-matrix-media-repo'
matrix__media_repo__s3_access_key: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
35326162306233313937646565623563636538376464643739313462323535393366363262323565
3465623639303935623461336230646439663839343331320a663635343239366366623062346630
37626332323965383738366532313665383564366132383530613762643836333831393735666438
6132393437343464390a336339383439326338646137356634333534636236326438646433353965
63376165363038326337346139303961373565346265393836396439656131633263
matrix__media_repo__s3_access_secret: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
36316562306261323138663361353762393736343765346435633631353734663765343638383265
3132383663393161306464386336396265363962313764320a653862343933666461666134383434
38623661326462303962376535373862303235353131363361633736336231336536633338643233
3539663031633038360a316433343432663865393738366633376235653839326232663134303931
65363837313464616536333934353062353962363365353831623234363939636333616634323832
3466656664353839333966643333336432303435663232646664
matrix__static__user_id: '@1:crypto-libertarian.com'
matrix__static__access_token: !vault |
$ANSIBLE_VAULT;1.2;AES256;matrix
66626138616337666537383562623139356364633837376133326235396662306330663666336333
6538623736613538373235623866333066396539396138320a316363393664363332353138386261
34313935326433623763656433326533323233623738313063623938336664663230623033373032
3831393536313235300a313935313636353762346437633366336433343666383630373232616338
35346636343137356530373538303437306461393663393862356666326430363339333739653434
65343963653731626133343636633035393661373634373066633165356566623538663862376662
36343865643637306432656563626566666362393737666461316435666664323735323439653839
65353937393265356264316238356636376635356263623364363564616234616330646638323635
30326436656366336562393332386565616338643565316637343336663133373532636634323932
30333566363866313432366164613537353230356630383830653463623233316539326337316638
39356663343938356266373162333166366437303033643366313137323332643938626266303165
31636662663937613638366433316433393662386637623331383761393866336234633332306434
65363063636562633762373232323639393435623765376265613638616265353363636439373537
66633335303564656637653933363730366462363164306334386166663534333738356266626439
63393336333666616335656566653835393163656430333631386364396364313666333833633932
31663530646237376630366632336661316561336233636637333761363739343639363536626665
39376636373630383034393966316335363138643334396432346638633865383435313139663937
31336165666466613733326135656433633461653237396533643237353463363665646338663164
63316430663163303434346233316464386634623836373664336366313961353963663632666362
64626636376466333139
common__iptables__drop_by_default: true
common__iptables__v4_filter: |
# Allow incoming HTTP, HTTPS, Matrix.
-A INPUT -p tcp -m multiport --dport 80,443,8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --sport 80,443,8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP, HTTPS, Matrix.
-A INPUT -p tcp -m multiport --dport 80,443,8448 -j REJECT
-A OUTPUT -p tcp -m multiport --sport 80,443,8448 -j REJECT
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'

155
host_vars/postgres.crypto-libertarian.com.yml Normal file
View file

@ -0,0 +1,155 @@
---
ansible_become_pass_for:
kotovalexarian: !vault |
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
61623634613531666632363233346539303131313038666132643464313263356162616661336339
6437356339396139346435636462613163396332313135620a383962643839393764616130663264
39363331653837376434613266623331333563343264383365336234666230633334313338623938
3562303035333732360a393931353339653539323732316137363532316234306461393265633763
64343336303765646239386265306435323230303764376439346530646138323137333461383766
3534613339653530643635316531356166313735623339613937
xuhcc: !vault |
$ANSIBLE_VAULT;1.2;AES256;xuhcc
33343933353961653437653139333435306663383434646339353763303530353731383438653337
3531393762396135366332396632653036346333623133650a306162326438333931303862383330
39626564333130623731343339663764643632323566393734346565353934656561386462326434
6538303365386631640a366330333135313464333962313638643465613836643037323833626131
39623562376439376665636537396339613462356131343763323437623334323463
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
common__certbot__cert_name: 'postgres.crypto-libertarian.com'
common__certbot__cert_domains:
- 'postgres.crypto-libertarian.com'
postgresql_users:
- name: matrix_synapse
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
65363838636633623362663839303333346337646138333862373831343162343161356435336565
3032626439376630656338373464376463663935366134660a316136373261303331633836633937
30646533386163313136656138633437386366616234383265366261346636396130626333333235
3264356332336461320a323065616231663165613737646566336434663862306333393465366261
33373533393361356664343337353861313334623136353138643834336236306662383032316432
3336623036373964313036633434626239396139336666393361
- name: matrix_media_repo
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;postgres
39386236643763333734653936616466376334636166646133653335626365373039356262376161
3439353138643533613166333562663134666539653431340a636231353663633033363034643232
63393063346332353765343961383730633266613532656234336266623538376332636361353932
6634626266333033330a626536333161663239353831306466323038373961663132306334386437
64376231643964363935633531643938616430396664393237613361626465373536643339656566
6233663734316163386434343332346364363362653934363162
postgresql_databases:
- name: matrix_synapse
owner: matrix_synapse
lc_collate: C
lc_ctype: C
- name: matrix_media_repo
owner: matrix_media_repo
lc_collate: C
lc_ctype: C
postgresql_hba_entries:
- type: local
database: all
user: all
auth_method: peer
- type: host
database: all
user: all
address: '127.0.0.1/32'
auth_method: md5
- type: host
database: all
user: all
address: '::1/128'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '134.209.196.172/32'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '2a03:b0c0:2:f0::142:3001/128'
auth_method: md5
- type: hostssl
database: matrix_synapse
user: matrix_synapse
address: '10.133.8.214/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '134.209.196.172/32'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '2a03:b0c0:2:f0::142:3001/128'
auth_method: md5
- type: hostssl
database: matrix_media_repo
user: matrix_media_repo
address: '10.133.8.214/32'
auth_method: md5
- type: host
database: all
user: all
address: '0.0.0.0/0'
auth_method: reject
- type: host
database: all
user: all
address: '::/0'
auth_method: reject
common__iptables__v4_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
-A INPUT -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 5432 -s 10.133.8.214/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT
common__iptables__v6_filter: |
# Allow incoming HTTP for Certbot to work.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP.
-A INPUT -p tcp --dport 80 -j REJECT
-A OUTPUT -p tcp --dport 80 -j REJECT
# Allow incoming PostgreSQL from specific hosts.
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other PostgreSQL.
-A INPUT -p tcp --dport 5432 -j REJECT
-A OUTPUT -p tcp --sport 5432 -j REJECT

5
hosts
View file

@ -1 +1,6 @@
git.crypto-libertarian.com
matrix.crypto-libertarian.com
postgres.crypto-libertarian.com
[postgres]
postgres.crypto-libertarian.com

13
playbooks/backup/postgres.yml Normal file
View file

@ -0,0 +1,13 @@
---
- hosts: postgres
tasks:
- name: Find PostgreSQL dumps
find:
paths: '{{ postgresql_backups_dir }}'
register: postgresql_dumps
- name: Fetch PostgreSQL dumps
fetch:
src: '{{ item }}'
dest: ../../backups
with_items: "{{ postgresql_dumps.files | map(attribute='path') | list }}"

1
playbooks/backup/site.yml
View file

@ -1,2 +1,3 @@
---
- import_playbook: git.yml
- import_playbook: postgres.yml

11
playbooks/deploy/matrix.yml Normal file
View file

@ -0,0 +1,11 @@
---
- hosts: matrix.crypto-libertarian.com
module_defaults:
apt:
force_apt_get: true
update_cache: true
cache_valid_time: 86400
roles:
- name: kotovalexarian.common
tags: common
- ../../roles/matrix

19
playbooks/deploy/postgres.yml Normal file
View file

@ -0,0 +1,19 @@
---
- hosts: postgres
module_defaults:
apt:
force_apt_get: true
update_cache: true
cache_valid_time: 86400
roles:
- name: kotovalexarian.common
tags: common
- geerlingguy.postgresql
tasks:
- name: Create daily Cron job for PostgreSQL backup
template:
src: ../../templates/pg_backup
dest: /etc/cron.daily/pg_backup
mode: 'u=rwx,g=rx,o=rx'
owner: root
group: root

2
playbooks/deploy/site.yml
View file

@ -1,2 +1,4 @@
---
- import_playbook: git.yml
- import_playbook: postgres.yml
- import_playbook: matrix.yml

2
requirements.yml
View file

@ -1,3 +1,5 @@
---
- src: kotovalexarian.common
version: v0.0.45
- src: geerlingguy.postgresql
version: 2.2.1

41
roles/matrix/defaults/main.yml Normal file
View file

@ -0,0 +1,41 @@
---
matrix__site_host: 'example.com'
matrix__base_host: 'matrix.example.com'
matrix__web_host: 'element.example.com'
matrix__site_url: 'https://example.com'
matrix__base_url: 'https://matrix.example.com'
matrix__web_url: 'https://element.example.com'
matrix__admin_contact: 'mailto:user@example.com'
matrix__admin_user: '@user:example.com'
matrix__base_ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem'
matrix__web_ssl_cert: '/etc/letsencrypt/live/element.example.com/fullchain.pem'
matrix__base_ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem'
matrix__web_ssl_key: '/etc/letsencrypt/live/element.example.com/privkey.pem'
matrix__synapse__pg_enable: false
matrix__synapse__pg_host: 'postgres.example.com'
matrix__synapse__pg_port: 5432
matrix__synapse__pg_username: ''
matrix__synapse__pg_password: ''
matrix__synapse__pg_database: ''
matrix__synapse__signing_key: ''
matrix__synapse__reg_secret: ''
matrix__synapse__macaroon_secret: ''
matrix__synapse__form_secret: ''
matrix__synapse__recaptcha_public_key: ''
matrix__synapse__recaptcha_private_key: ''
matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
matrix__media_repo__s3_access_key: ''
matrix__media_repo__s3_access_secret: ''
matrix__media_repo__s3_bucket: 'example-matrix-media-repo'
matrix__static__user_id: ''
matrix__static__access_token: ''

26
roles/matrix/handlers/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Restart Nginx
systemd:
name: nginx
state: restarted
- name: Load, enable and restart Matrix Synapse
systemd:
name: '{{ matrix__synapse__service }}'
daemon_reload: true
enabled: true
state: restarted
- name: Load, enable and restart Matrix Media Repo
systemd:
name: '{{ matrix__media_repo__service }}'
daemon_reload: true
enabled: true
state: restarted
- name: Load, enable and restart Matrix Static
systemd:
name: '{{ matrix__static__service }}'
daemon_reload: true
enabled: true
state: restarted

21
roles/matrix/tasks/common.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: Create Matrix directories
file:
state: directory
path: '{{ item }}'
mode: 'u=rwx,g=rwx,o=rx'
owner: root
group: root
with_items:
- '{{ matrix__conf_dir }}'
- '{{ matrix__opt_dir }}'
- '{{ matrix__lib_dir }}'
- '{{ matrix__run_dir }}'
- name: Recreate Matrix rundirs
template:
src: '../templates/tmpfiles.d/matrix.conf'
dest: '/etc/tmpfiles.d/matrix.conf'
mode: 'u=rw,g=r,o=r'
owner: root
group: root

37
roles/matrix/tasks/element.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: Create Matrix Element directories
file:
state: directory
path: '{{ item }}'
mode: 'u=rwx,g=rwx,o=rx'
owner: root
group: root
with_items:
- '{{ matrix__element__opt_dir }}'
- '{{ matrix__element__src_dir }}'
- name: Get Matrix Element source code
get_url:
url: '{{ matrix__element__url }}'
checksum: '{{ matrix__element__checksum }}'
dest: '{{ matrix__element__archive_file }}'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
- name: Extract Matrix Element source code
unarchive:
remote_src: true
src: '{{ matrix__element__archive_file }}'
dest: '{{ matrix__element__src_dir }}'
creates: '{{ matrix__element__src_dir }}/index.html'
extra_opts:
- '--strip-components=1'
- name: Create Matrix Element config
template:
src: '../templates/element/config.json'
dest: '{{ matrix__element__conf_file }}'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root

18
roles/matrix/tasks/main.yml Normal file
View file

@ -0,0 +1,18 @@
---
- include_tasks: common.yml
- meta: flush_handlers
- include_tasks: nginx.yml
- meta: flush_handlers
- include_tasks: synapse.yml
- meta: flush_handlers
- include_tasks: media_repo.yml
- meta: flush_handlers
- include_tasks: static.yml
- meta: flush_handlers
- include_tasks: element.yml
- meta: flush_handlers

66
roles/matrix/tasks/media_repo.yml Normal file
View file

@ -0,0 +1,66 @@
---
- name: Install system packages for Matrix Media Repo
apt:
name: golang
notify: Load, enable and restart Matrix Media Repo
- name: Create Matrix Media Repo system group
group:
name: '{{ matrix__media_repo__group }}'
system: true
notify: Load, enable and restart Matrix Media Repo
- name: Create Matrix Media Repo system user
user:
name: '{{ matrix__media_repo__user }}'
group: '{{ matrix__media_repo__group }}'
system: true
create_home: true
home: '{{ matrix__media_repo__lib_dir }}'
notify: Load, enable and restart Matrix Media Repo
- name: Create Matrix Media Repo directories
file:
state: directory
path: '{{ item }}'
mode: 'u=rwx,g=rwx,o=rx'
owner: '{{ matrix__media_repo__user }}'
group: '{{ matrix__media_repo__group }}'
with_items:
- '{{ matrix__media_repo__conf_dir }}'
- '{{ matrix__media_repo__opt_dir }}'
- '{{ matrix__media_repo__src_dir }}'
notify: Load, enable and restart Matrix Media Repo
- name: Create Matrix Media Repo config
template:
src: '../templates/media_repo/config.yaml'
dest: '{{ matrix__media_repo__conf_file }}'
mode: 'u=rw,g=rw,o='
owner: '{{ matrix__media_repo__user }}'
group: '{{ matrix__media_repo__group }}'
notify: Load, enable and restart Matrix Media Repo
- name: Create Matrix Media Repo systemd service
template:
src: '../templates/media_repo/matrix-media-repo.service'
dest: '{{ matrix__media_repo__service_file }}'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
notify: Load, enable and restart Matrix Media Repo
- name: Get Matrix Media Repo source code
become_user: '{{ matrix__media_repo__user }}'
git:
repo: 'https://github.com/turt2live/matrix-media-repo.git'
dest: '{{ matrix__media_repo__src_dir }}'
version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
- name: Build Matrix Media Repo source code
become_user: '{{ matrix__media_repo__user }}'
command:
chdir: '{{ matrix__media_repo__src_dir }}'
creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo'
cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh'
notify: Load, enable and restart Matrix Media Repo

18
roles/matrix/tasks/nginx.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Create Nginx server configuration
template:
src: '../templates/nginx/matrix.conf'
dest: '/etc/nginx/sites-available/matrix.conf'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
notify: Restart Nginx
- name: Enable Nginx server configuration
file:
state: link
src: '/etc/nginx/sites-available/matrix.conf'
dest: '/etc/nginx/sites-enabled/matrix.conf'
owner: root
group: root
notify: Restart Nginx

108
roles/matrix/tasks/static.yml Normal file
View file

@ -0,0 +1,108 @@
---
- name: Install system packages for Matrix Static
apt:
name: golang
notify: Load, enable and restart Matrix Static
- name: Create Matrix Static system group
group:
name: '{{ matrix__static__group }}'
system: true
notify: Load, enable and restart Matrix Static
- name: Create Matrix Static system user
user:
name: '{{ matrix__static__user }}'
group: '{{ matrix__static__group }}'
system: true
create_home: false
notify: Load, enable and restart Matrix Static
- name: Create Matrix Static directories
file:
state: directory
path: '{{ item }}'
mode: 'u=rwx,g=rwx,o=rx'
owner: '{{ matrix__static__user }}'
group: '{{ matrix__static__group }}'
with_items:
- '{{ matrix__static__conf_dir }}'
- '{{ matrix__static__opt_dir }}'
- '{{ matrix__static__src_dir }}'
- '{{ matrix__static__bin_dir }}'
notify: Load, enable and restart Matrix Static
- name: Create Matrix Static config
template:
src: '../templates/static/config.json'
dest: '{{ matrix__static__conf_file }}'
mode: 'u=rw,g=rw,o='
owner: '{{ matrix__static__user }}'
group: '{{ matrix__static__group }}'
notify: Load, enable and restart Matrix Static
- name: Create Matrix Static systemd service
template:
src: '../templates/static/matrix-static.service'
dest: '{{ matrix__static__service_file }}'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
notify: Load, enable and restart Matrix Static
- name: Get Matrix Static source code
get_url:
url: '{{ matrix__static__url }}'
checksum: '{{ matrix__static__checksum }}'
dest: '{{ matrix__static__archive_file }}'
mode: 'u=rw,g=rw,o=r'
owner: '{{ matrix__static__user }}'
group: '{{ matrix__static__group }}'
- name: Extract Matrix Static source code
become_user: '{{ matrix__static__user }}'
unarchive:
remote_src: true
src: '{{ matrix__static__archive_file }}'
dest: '{{ matrix__static__src_dir }}'
creates: '{{ matrix__static__src_dir }}/README.md'
extra_opts:
- '--strip-components=1'
- name: Get Quicktemplate source code
become_user: '{{ matrix__static__user }}'
git:
repo: 'https://github.com/valyala/quicktemplate.git'
dest: '{{ matrix__static__opt_dir }}/go-quicktemplate'
version: '1a0f4e9691adbb86df52cb2dd9adafa6a28585a0'
- name: Install Quicktemplate
become_user: '{{ matrix__static__user }}'
command:
chdir: '{{ matrix__static__opt_dir }}/go-quicktemplate/qtc'
creates: '{{ matrix__static__opt_dir }}/go/bin/qtc'
cmd: 'go install .'
environment:
GOPATH: '{{ matrix__static__opt_dir }}/go'
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
- name: Run Go executable qtc
become_user: '{{ matrix__static__user }}'
command:
chdir: '{{ matrix__static__src_dir }}'
creates: '{{ matrix__static__src_dir }}/templates/basepage.qtpl.go'
cmd: '{{ matrix__static__opt_dir }}/go/bin/qtc'
environment:
GOPATH: '{{ matrix__static__opt_dir }}/go'
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
- name: Build Matrix Static source code
become_user: '{{ matrix__static__user }}'
command:
chdir: '{{ matrix__static__src_dir }}'
creates: '{{ matrix__static__bin_dir }}/matrix-static'
cmd: 'go build -o {{ matrix__static__bin_dir }} ./cmd/...'
environment:
GOPATH: '{{ matrix__static__opt_dir }}/go'
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
notify: Load, enable and restart Matrix Static

145
roles/matrix/tasks/synapse.yml Normal file
View file

@ -0,0 +1,145 @@
---
- name: Install system packages for Matrix Synapse
apt:
name:
- build-essential
- libffi-dev
- libjpeg-dev
- libpq-dev
- libpq5
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-dev
- python3-pip
- python3-setuptools
- sqlite3
- virtualenv
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse system group
group:
name: '{{ matrix__synapse__group }}'
system: true
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse system user
user:
name: '{{ matrix__synapse__user }}'
group: '{{ matrix__synapse__group }}'
system: true
create_home: false
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse directories
file:
state: directory
path: '{{ item }}'
mode: 'u=rwx,g=rwx,o=rx'
owner: '{{ matrix__synapse__user }}'
group: '{{ matrix__synapse__group }}'
with_items:
- '{{ matrix__synapse__conf_dir }}'
- '{{ matrix__synapse__conf_subdir }}'
- '{{ matrix__synapse__opt_dir }}'
- '{{ matrix__synapse__lib_dir }}'
- '{{ matrix__synapse__run_dir }}'
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse config
template:
src: '../templates/synapse/config/{{ item }}.yaml'
dest: '{{ matrix__synapse__conf_subdir }}/{{ item }}.yaml'
mode: 'u=rw,g=rw,o='
owner: '{{ matrix__synapse__user }}'
group: '{{ matrix__synapse__group }}'
notify: Load, enable and restart Matrix Synapse
with_items:
- other
- database
- acme
- listeners
- url_preview
- captcha
- turn
- media_store
- name: Create Matrix Synapse log config
template:
src: '../templates/synapse/log_config.yml'
dest: '{{ matrix__synapse__log_conf_file }}'
mode: 'u=rw,g=rw,o=r'
owner: '{{ matrix__synapse__user }}'
group: '{{ matrix__synapse__group }}'
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse signing key
copy:
content: "{{ matrix__synapse__signing_key }}\n"
dest: '{{ matrix__synapse__key_file }}'
mode: 'u=rw,g=rw,o='
owner: '{{ matrix__synapse__user }}'
group: '{{ matrix__synapse__group }}'
notify: Load, enable and restart Matrix Synapse
- name: Create Python virtual env
become_user: '{{ matrix__synapse__user }}'
command:
argv:
- 'virtualenv'
- '{{ matrix__synapse__venv_dir }}'
- '-p'
- 'python3'
creates: '{{ matrix__synapse__venv_dir }}'
notify: Load, enable and restart Matrix Synapse
- name: Check Python packages
command:
argv:
- '{{ matrix__synapse__venv_dir }}/bin/pip'
- 'show'
- '{{ item }}'
with_items:
- 'matrix-synapse'
- 'lxml'
- 'netaddr'
- 'pip'
- 'psycopg2'
- 'setuptools'
ignore_errors: true
changed_when: false
register: packages_info
- name: Upgrade Python packages
become_user: '{{ matrix__synapse__user }}'
command:
argv:
- '{{ matrix__synapse__venv_dir }}/bin/pip'
- 'install'
- '--upgrade'
- 'pip'
- 'setuptools'
when: packages_info | json_query('results[*].rc') | difference([0]) != []
notify: Load, enable and restart Matrix Synapse
- name: Install Python packages
become_user: '{{ matrix__synapse__user }}'
command:
argv:
- '{{ matrix__synapse__venv_dir }}/bin/pip'
- 'install'
- 'matrix-synapse'
- 'lxml'
- 'netaddr'
- 'psycopg2'
when: packages_info | json_query('results[*].rc') | difference([0]) != []
notify: Load, enable and restart Matrix Synapse
- name: Create Matrix Synapse systemd service
template:
src: '../templates/synapse/matrix-synapse.service'
dest: '{{ matrix__synapse__service_file }}'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
notify: Load, enable and restart Matrix Synapse

59
roles/matrix/templates/element/config.json Normal file
View file

@ -0,0 +1,59 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix-client.matrix.org",
"server_name": "matrix.org"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Element",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"defaultCountryCode": "GB",
"showLabsSettings": false,
"features": {
"feature_new_spinner": "labs",
"feature_pinning": "labs",
"feature_custom_status": "labs",
"feature_custom_tags": "labs",
"feature_state_counters": "labs"
},
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"matrix.org"
]
},
"welcomeUserId": "@riot-bot:matrix.org",
"piwik": {
"url": "https://piwik.riot.im/",
"whitelistedHSUrls": ["https://matrix.org"],
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
"siteId": 1
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false
},
"settingDefaults": {
"breadcrumbs": true
},
"jitsi": {
"preferredDomain": "jitsi.riot.im"
}
}

539
roles/matrix/templates/media_repo/config.yaml Normal file
View file

@ -0,0 +1,539 @@
# General repo configuration
repo:
bindAddress: '127.0.0.1'
port: {{ matrix__media_repo__port }}
# Where to store the logs, relative to where the repo is started from. Logs will be automatically
# rotated every day and held for 14 days. To disable the repo logging to files, set this to
# "-" (including quotation marks).
#
# Note: to change the log directory you'll have to restart the repository. This setting cannot be
# live reloaded.
logDirectory: '-'
# If true, the media repo will accept any X-Forwarded-For header without validation. In most cases
# this option should be left as "false". Note that the media repo already expects an X-Forwarded-For
# header, but validates it to ensure the IP being given makes sense.
trustAnyForwardedAddress: false
# If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies.
# Typically this should remain as true, though in some circumstances it may need to be disabled.
# See https://github.com/turt2live/matrix-media-repo/issues/202 for more information.
useForwardedHost: true
# Options for dealing with federation
federation:
# On a per-host basis, the number of consecutive failures in calling the host before the
# media repo will back off. This defaults to 20 if not given. Note that 404 errors from
# the remote server do not count towards this.
backoffAt: 20
# The database configuration for the media repository
# Do NOT put your homeserver's existing database credentials here. Create a new database and
# user instead. Using the same server is fine, just not the same username and database.
database:
# Currently only "postgres" is supported.
postgres: "{{ matrix__media_repo__postgres }}"
# The database pooling options
pool:
# The maximum number of connects to hold open. More of these allow for more concurrent
# processes to happen.
maxConnections: 25
# The maximum number of connects to leave idle. More of these reduces the time it takes
# to serve requests in low-traffic scenarios.
maxIdleConnections: 5
# The configuration for the homeservers this media repository is known to control. Servers
# not listed here will not be able to upload media.
homeservers:
-
# This should match the server_name of your homeserver, and the Host header
# provided to the media repo.
name: "{{ matrix__site_host }}"
# The base URL to where the homeserver can actually be reached
csApi: "{{ matrix__base_url }}"
# The number of consecutive failures in calling this homeserver before the
# media repository will start backing off. This defaults to 10 if not given.
backoffAt: 10
# The kind of admin API the homeserver supports. If set to "matrix",
# the media repo will use the Synapse-defined endpoints under the
# unstable client-server API. When this is "synapse", the new /_synapse
# endpoints will be used instead. Unknown values are treated as the
# default, "matrix".
adminApiKind: 'matrix'
# Options for controlling how access tokens work with the media repo. It is recommended that if
# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints
# be proxied through this process. They will also be called on the homeserver, and the response
# sent straight through the client - they are simply used to invalidate the cache faster for
# a particular user. Without these, the access tokens might still work for a short period of time
# after the user has already invalidated them.
#
# This will also cache errors from the homeserver.
#
# Note that when this config block is used outside of a per-domain config, all hosts will be
# subject to the same cache. This also means that application services on limited homeservers
# could be authorized on the wrong domain.
#
# ***************************************************************************
# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. *
# ***************************************************************************
accessTokens:
# The maximum time a cached access token will be considered valid. Set to zero (the default)
# to disable the cache and constantly hit the homeserver. This is recommended to be set to
# 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and
# zero for servers who do not proxy the endpoints through.
maxCacheTimeSeconds: 0
# Whether or not to use the `appservices` config option below. If disabled (the default),
# the regular access token cache will be used for each user, potentially leading to high
# memory usage.
useLocalAppserviceConfig: false
# The application services (and their namespaces) registered on the homeserver. Only used
# if `useLocalAppserviceConfig` is enabled (recommended).
#
# Usually the appservice will provide you with these config details - they'll just need
# translating from the appservice registration to here. Note that this does not require
# all options from the registration, and only requires the bare minimum required to run
# the media repo.
appservices:
- id: Name_of_appservice_for_your_reference
asToken: Secret_token_for_appservices_to_use
senderUserId: '@_example_bridge:yourdomain.com'
userNamespaces:
- regex: '@_example_bridge_.+:yourdomain.com'
# A note about regexes: it is best to suffix *all* namespaces with the homeserver
# domain users are valid for, as otherwise the appservice can use any user with
# any domain name it feels like, even if that domain is not configured with the
# media repo. This will lead to inaccurate reporting in the case of the media
# repo, and potentially leading to media being considered "remote".
# These users have full access to the administrative functions of the media repository.
# See docs/admin.md for information on what these people can do. They must belong to one of the
# configured homeservers above.
admins:
- "{{ matrix__admin_user }}"
# Shared secret auth is useful for applications building on top of the media repository, such
# as a management interface. The `token` provided here is treated as a repository administrator
# when shared secret auth is enabled: if the `token` is used in place of an access token, the'
# request will be authorized. This is not limited to any particular domain, giving applications
# the ability to use it on any configured hostname.
sharedSecretAuth:
# Set this to true to enable shared secret auth.
enabled: false
# Use a secure value here to prevent unauthorized access to the media repository.
token: 'PutSomeRandomSecureValueHere'
# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
# thumbnails and other misc data is also stored in these places. When the media repo is looking
# to store new media (such as user uploads, thumbnails, etc) it will look for a datastore which
# is flagged as forUploads. It will try to use the smallest datastore first.
datastores:
- type: file
# Enable this to set up data storage.
enabled: false
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
# content's location). This option is useful if your datastore is becoming very large, or if
# you want faster storage for a particular kind of media.
#
# The kinds available are:
# thumbnails - Used to store thumbnails of media (local and remote).
# remote_media - Original copies of remote media (servers not configured by this repo).
# local_media - Original uploads for local media.
# archives - Archives of content (GDPR and similar requests).
forKinds: ['thumbnails']
opts:
path: /var/matrix/media
- type: s3
# Enable this to set up s3 uploads
enabled: true
forKinds: ['thumbnails', 'remote_media', 'local_media', 'archives']
opts:
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
# small file uploads. If the file size is unknown, the file is written to this location
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
# memory usage, set this to an empty string.
tempPath: ''
endpoint: "{{ matrix__media_repo__s3_endpoint }}"
accessKeyId: "{{ matrix__media_repo__s3_access_key }}"
accessSecret: "{{ matrix__media_repo__s3_access_secret }}"
ssl: true
bucketName: "{{ matrix__media_repo__s3_bucket }}"
# An optional region for where this S3 endpoint is located. Typically not needed, though
# some providers will need this (like Scaleway). Uncomment to use.
#region: 'sfo2'
# The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If
# the feature is not enabled, this will not work. Note that IPFS support is experimental at
# the moment and not recommended for general use.
#
# NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo
# puts authentication on the download endpoints. Only use this option for cases where you
# expect your media to be publicly accessible.
- type: ipfs
# Enable this to use IPFS support
enabled: false
forKinds: ['local_media']
# The IPFS datastore currently has no options. It will use the daemon or HTTP API configured
# in the IPFS section of your main config.
opts: {}
# Options for controlling archives. Archives are exports of a particular user's content for
# the purpose of GDPR or moving media to a different server.
archiving:
# Whether archiving is enabled or not. Default enabled.
enabled: true
# If true, users can request a copy of their own data. By default, only repository administrators
# can request a copy.
# This includes the ability for homeserver admins to request a copy of their own server's
# data, as known to the repo.
selfService: false
# The number of bytes to target per archive before breaking up the files. This is independent
# of any file upload limits and will require a similar amount of memory when performing an export.
# The file size is also a target, not a guarantee - it is possible to have files that are smaller
# or larger than the target. This is recommended to be approximately double the size of your
# file upload limit, provided there is enough memory available for the demand of exporting.
targetBytesPerPart: 209715200 # 200mb default
# The file upload settings for the media repository
uploads:
maxBytes: 104857600 # 100MB default, 0 to disable
# The minimum number of bytes to let people upload
minBytes: 100 # 100 bytes by default
# The number of bytes to claim as the maximum size for uploads for the limits API. If this
# is not provided then the maxBytes setting will be used instead. This is useful to provide
# if the media repo's settings and the reverse proxy do not match for maximum request size.
# This is purely for informational reasons and does not actually limit any functionality.
# Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes.
#reportedMaxBytes: 104857600
# An optional list of file types that are allowed to be uploaded. If */* or nothing is
# supplied here, then all file types are allowed. Asterisks (*) are wildcards and can be
# placed anywhere to match everything (eg: "image/*" matches all images). This will also
# restrict which file types are downloaded from remote servers.
#
# Caution: the media repo cannot tell the difference between encrypted media and arbitrary
# binary data. For this reason, this option is deprecated and to be removed in a future
# version.
allowedTypes:
- '*/*'
# Specific users can have their own set of allowed file types. These are applied instead
# of those listed in the allowedTypes list when a user is found. Much like allowedTypes,
# asterisks may be used in the content types and may also be used in the user IDs. This
# allows for entire servers to have different allowed types by setting a rule similar to
# "@*:example.org". Users will be allowed to upload a file if the type matches any of
# the policies that match the user ID.
#
# Caution: the media repo cannot tell the difference between encrypted media and arbitrary
# binary data. For this reason, this option is deprecated and to be removed in a future
# version.
#exclusions:
# '@someone:example.org':
# - 'application/pdf'
# - 'application/vnd.ms-excel'
# '@*:example.org':
# - '*/*'
# Settings related to downloading files from the media repository
downloads:
# The maximum number of bytes to download from other servers
maxBytes: 104857600 # 100MB default, 0 to disable
# The number of workers to use when downloading remote media. Raise this number if remote
# media is downloading slowly or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum download size
# Average memory usage is dependent on how many concurrent downloads your users are doing.
numWorkers: 10
# How long, in minutes, to cache errors related to downloading remote media. Once this time
# has passed, the media is able to be re-requested.
failureCacheMinutes: 5
# The cache control settings for downloads. This can help speed up downloads for users by
# keeping popular media in the cache. This cache is also used for thumbnails.
cache:
enabled: true
# The maximum size of cache to have. Higher numbers are better.
maxSizeBytes: 1048576000 # 1GB default
# The maximum file size to cache. This should normally be the same size as your maximum
# upload size.
maxFileSizeBytes: 104857600 # 100MB default
# The number of minutes to track how many downloads a file gets
trackedMinutes: 30
# The number of downloads a file must receive in the window above (trackedMinutes) in
# order to be cached.
minDownloads: 5
# The minimum amount of time an item should remain in the cache. This prevents the cache
# from cycling out the file if it needs more room during this time. Note that the media
# repo regularly cleans out media which is past this point from the cache, so this number
# may need increasing depending on your use case. If the maxSizeBytes is reached for the
# media repo, and some cached items are still under this timer, new items will not be able
# to enter the cache. When this happens, consider raising maxSizeBytes or lowering this
# timer.
minCacheTimeSeconds: 300
# The minimum amount of time an item should remain outside the cache once it is removed.
minEvictedTimeSeconds: 60
# How many days after a piece of remote content is downloaded before it expires. It can be
# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or
# negative to disable. Defaults to disabled.
expireAfterDays: 0
# URL Preview settings
urlPreviews:
enabled: true # If enabled, the preview_url routes will be accessible
maxPageSizeBytes: 10485760 # 10MB default, 0 to disable
# If true, the media repository will try to provide previews for URLs with invalid or unsafe
# certificates. If false (the default), the media repo will fail requests to said URLs.
previewUnsafeCertificates: false
# Note: URL previews are limited to a given number of words, which are then limited to a number
# of characters, taking off the last word if it needs to. This also applies for the title.
numWords: 50 # The number of words to include in a preview (maximum)
maxLength: 200 # The maximum number of characters for a description
numTitleWords: 30 # The maximum number of words to include in a preview's title
maxTitleLength: 150 # The maximum number of characters for a title
# The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are
# calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be
# an image and the image's type must be allowed by the thumbnailer.
filePreviewTypes:
- 'image/*'
# The number of workers to use when generating url previews. Raise this number if url
# previews are slow or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum page size
# Average memory usage is dependent on how many concurrent urls your users are previewing.
numWorkers: 10
# Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they
# will be merged. URL previews will be disabled if neither is supplied. Each entry must be
# a CIDR range.
disallowedNetworks:
- '127.0.0.1/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
allowedNetworks:
# "Everything". The blacklist will help limit this.
# This is the default value for this field.
- '0.0.0.0/0'
# How many days after a preview is generated before it expires and is deleted. The preview
# can be regenerated safely - this just helps free up some space in your database. Set to
# zero or negative to disable. Defaults to disabled.
expireAfterDays: 0
# The default Accept-Language header to supply when generating URL previews when one isn't
# supplied by the client.
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
defaultLanguage: 'en-US,en'
# The thumbnail configuration for the media repository.
thumbnails:
# The maximum number of bytes an image can be before the thumbnailer refuses.
maxSourceBytes: 10485760 # 10MB default, 0 to disable
# The number of workers to use when generating thumbnails. Raise this number if thumbnails
# are slow to generate or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum image source size
# Average memory usage is dependent on how many thumbnails are being generated by your users
numWorkers: 100
# All thumbnails are generated into one of the sizes listed here. The first size is used as
# the default for when no width or height is requested. The media repository will return
# either an exact match or the next largest size of thumbnail.
sizes:
- width: 32
height: 32
- width: 96
height: 96
- width: 320
height: 240
- width: 640
height: 480
- width: 800
height: 600
# The content types to thumbnail when requested. Types that are not supported by the media repo
# will not be thumbnailed (adding application/json here won't work). Clients may still not request
# thumbnails for these types - this won't make clients automatically thumbnail these file types.
types:
- 'image/jpeg'
- 'image/jpg'
- 'image/png'
- 'image/gif'
- 'image/heif'
- 'image/webp'
#- 'image/svg+xml' # Be sure to have ImageMagick installed to thumbnail SVG files
# Animated thumbnails can be CPU intensive to generate. To disable the generation of animated
# thumbnails, set this to false. If disabled, regular thumbnails will be returned.
allowAnimated: true
# Default to animated thumbnails, if available
defaultAnimated: false
# The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image
# is larger than this, the thumbnail will be generated as a static image.
maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable
# On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try
# and thumbnail animated content? Defaults to 0.5 (middle of animation).
stillFrame: 0.5
# How many days after a thumbnail is generated before it expires and is deleted. The thumbnail
# can be regenerated safely - this just helps free up some space in your datastores. Set to
# zero or negative to disable. Defaults to disabled.
expireAfterDays: 0
# Controls for the rate limit functionality
rateLimit:
# Set this to false if rate limiting is handled at a higher level or you don't want it enabled.
enabled: true
# The number of requests per second before an IP will be rate limited. Must be a whole number.
requestsPerSecond: 1
# The number of requests an IP can send at once before the rate limit is actually considered.
burst: 10
# Identicons are generated avatars for a given username. Some clients use these to give users a
# default avatar after signing up. Identicons are not part of the official matrix spec, therefore
# this feature is completely optional.
identicons:
enabled: true
# The quarantine media settings.
quarantine:
# If true, when a thumbnail of quarantined media is requested an image will be returned. If no
# image is given in the thumbnailPath below then a generated image will be provided. This does
# not affect regular downloads of files.
replaceThumbnails: true
# If true, when media which has been quarantined is requested an image will be returned. If
# no image is given in the thumbnailPath below then a generated image will be provided. This
# will replace media which is not an image (ie: quarantining a PDF will replace the PDF with
# an image).
replaceDownloads: false
# If provided, the given image will be returned as a thumbnail for media that is quarantined.
#thumbnailPath: '/path/to/thumbnail.png'
# If true, administrators of the configured homeservers may quarantine media for their server
# only. Global administrators can quarantine any media (local or remote) regardless of this
# flag.
allowLocalAdmins: true
# The various timeouts that the media repo will use.
timeouts:
# The maximum amount of time the media repo should spend trying to fetch a resource that is
# being previewed.
urlPreviewTimeoutSeconds: 10
# The maximum amount of time the media repo will spend making remote requests to other repos
# or homeservers. This is primarily used to download media.
federationTimeoutSeconds: 120
# The maximum amount of time the media repo will spend talking to your configured homeservers.
# This is usually used to verify a user's identity.
clientServerTimeoutSeconds: 30
# Prometheus metrics configuration
# For an example Grafana dashboard, import the following JSON:
# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json
metrics:
# If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape.
enabled: false
# The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces.
bindAddress: '127.0.0.1'
# The port to listen on. Cannot be the same as the general web server port.
port: 9000
# Options for controlling various MSCs/unstable features of the media repo
# Sections of this config might disappear or be added over time. By default all
# features are disabled in here and must be explicitly enabled to be used.
featureSupport:
# MSC2248 - Blurhash
MSC2448:
# Whether or not this MSC is enabled for use in the media repo
enabled: false
# Maximum dimensions for converting a blurhash to an image. When no width and
# height options are supplied, the default will be half these values.
maxWidth: 1024
maxHeight: 1024
# Thumbnail size in pixels to use to generate the blurhash string
thumbWidth: 64
thumbHeight: 64
# The X and Y components to use. Higher numbers blur less, lower numbers blur more.
xComponents: 4
yComponents: 3
# The amount of contrast to apply when converting a blurhash to an image. Lower values
# make the effect more subtle, larger values make it stronger.
punch: 1
# IPFS Support
# This is currently experimental and might not work at all.
IPFS:
# Whether or not IPFS support is enabled for use in the media repo.
enabled: false
# Options for the built in IPFS daemon
builtInDaemon:
# Enable this to spawn an in-process IPFS node to use instead of a localhost
# HTTP agent. If this is disabled, the media repo will assume you have an HTTP
# IPFS agent running and accessible. Defaults to using a daemon (true).
enabled: true
# If the Daemon is enabled, set this to the location where the IPFS files should
# be stored. If you're using Docker, this should be something like "/data/ipfs"
# so it can be mapped to a volume.
repoPath: './ipfs'

18
roles/matrix/templates/media_repo/matrix-media-repo.service Normal file
View file

@ -0,0 +1,18 @@
[Unit]
After=network.target
Description=Matrix Media Repo
[Service]
ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }}
Group={{ matrix__media_repo__group }}
Restart=always
RestartSec=1
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier={{ matrix__media_repo__service }}
Type=simple
User={{ matrix__media_repo__user }}
WorkingDirectory={{ matrix__media_repo__opt_dir }}
[Install]
WantedBy=multi-user.target

140
roles/matrix/templates/nginx/matrix.conf Normal file
View file

@ -0,0 +1,140 @@
server {
listen 80;
listen [::]:80;
server_name {{ matrix__base_host }} {{ matrix__web_host }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'none';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ matrix__web_host }};
ssl_certificate {{ matrix__nginx__ssl_cert }};
ssl_certificate_key {{ matrix__nginx__ssl_key }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'self';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
client_max_body_size 100M;
if_modified_since off;
expires off;
etag off;
sendfile off;
root {{ matrix__element__src_dir }};
index index.html;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ matrix__base_host }};
ssl_certificate {{ matrix__nginx__ssl_cert }};
ssl_certificate_key {{ matrix__nginx__ssl_key }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'none';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
client_max_body_size 100M;
location /_matrix/media {
proxy_read_timeout 60s;
proxy_set_header Host {{ matrix__site_host }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ matrix__media_repo__port }};
}
location /_matrix {
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ matrix__synapse__port }};
}
location / {
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ matrix__static__port }};
}
}
server {
listen 8448 ssl;
listen [::]:8448 ssl;
server_name {{ matrix__base_host }};
ssl_certificate {{ matrix__nginx__ssl_cert }};
ssl_certificate_key {{ matrix__nginx__ssl_key }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'none';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
client_max_body_size 100M;
location /_matrix/media {
proxy_read_timeout 60s;
proxy_set_header Host {{ matrix__site_host }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ matrix__media_repo__port }};
}
location / {
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ matrix__synapse__port }};
}
}

7
roles/matrix/templates/static/config.json Normal file
View file

@ -0,0 +1,7 @@
{
"access_token": "{{ matrix__static__access_token }}",
"device_id": "guest_device",
"home_server": "{{ matrix__base_url }}",
"refresh_token": "",
"user_id": "{{ matrix__static__user_id }}"
}

19
roles/matrix/templates/static/matrix-static.service Normal file
View file

@ -0,0 +1,19 @@
[Unit]
After=network.target
Description=Matrix Static
[Service]
Environment=PORT={{ matrix__static__port }}
ExecStart={{ matrix__static__opt_dir }}/bin/matrix-static --config-file {{ matrix__static__conf_file }}
Group={{ matrix__static__group }}
Restart=always
RestartSec=1
StandardOutput=syslog
StandatdError=syslog
SyslogIdentifier={{ matrix__static__service }}
Type=simple
User={{ matrix__static__user }}
WorkingDirectory={{ matrix__static__src_dir }}
[Install]
WantedBy=multi-user.target

73
roles/matrix/templates/synapse/config/acme.yaml Normal file
View file

@ -0,0 +1,73 @@
# ACME support: This will configure Synapse to request a valid TLS certificate
# for your configured `server_name` via Let's Encrypt.
#
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
# ACME v2. This means that this feature currently won't work with installs set
# up after November 2019. For more info, and alternative solutions, see
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
#
# Note that provisioning a certificate in this way requires port 80 to be
# routed to Synapse so that it can complete the http-01 ACME challenge.
# By default, if you enable ACME support, Synapse will attempt to listen on
# port 80 for incoming http-01 challenges - however, this will likely fail
# with 'Permission denied' or a similar error.
#
# There are a couple of potential solutions to this:
#
# * If you already have an Apache, Nginx, or similar listening on port 80,
# you can configure Synapse to use an alternate port, and have your web
# server forward the requests. For example, assuming you set 'port: 8009'
# below, on Apache, you would write:
#
# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
#
# * Alternatively, you can use something like `authbind` to give Synapse
# permission to listen on port 80.
#
acme:
# ACME support is disabled by default. Set this to `true` and uncomment
# tls_certificate_path and tls_private_key_path above to enable it.
#
enabled: false
# Endpoint to use to request certificates. If you only want to test,
# use Let's Encrypt's staging url:
# https://acme-staging.api.letsencrypt.org/directory
#
#url: https://acme-v01.api.letsencrypt.org/directory
# Port number to listen on for the HTTP-01 challenge. Change this if
# you are forwarding connections through Apache/Nginx/etc.
#
port: 80
# Local addresses to listen on for incoming connections.
# Again, you may want to change this if you are forwarding connections
# through Apache/Nginx/etc.
#
bind_addresses: ['::', '0.0.0.0']
# How many days remaining on a certificate before it is renewed.
#
reprovision_threshold: 30
# The domain that the certificate should be for. Normally this
# should be the same as your Matrix domain (i.e., 'server_name'), but,
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
# you can delegate incoming traffic to another server. If you do that,
# you should give the target of the delegation here.
#
# For example: if your 'server_name' is 'example.com', but
# 'https://example.com/.well-known/matrix/server' delegates to
# 'matrix.example.com', you should put 'matrix.example.com' here.
#
# If not set, defaults to your 'server_name'.
#
domain: matrix.example.com
# file to use for the account key. This will be generated if it doesn't
# exist.
#
# If unspecified, we will use CONFDIR/client.key.
#
account_key_file: /etc/matrix/synapse/acme_account.key

23
roles/matrix/templates/synapse/config/captcha.yaml Normal file
View file

@ -0,0 +1,23 @@
## Captcha ##
# See docs/CAPTCHA_SETUP.md for full details of configuring this.
# This homeserver's ReCAPTCHA public key. Must be specified if
# enable_registration_captcha is enabled.
#
recaptcha_public_key: '{{ matrix__synapse__recaptcha_public_key }}'
# This homeserver's ReCAPTCHA private key. Must be specified if
# enable_registration_captcha is enabled.
#
recaptcha_private_key: '{{ matrix__synapse__recaptcha_private_key }}'
# Uncomment to enable ReCaptcha checks when registering, preventing signup
# unless a captcha is answered. Requires a valid ReCaptcha
# public/private key. Defaults to 'false'.
#
enable_registration_captcha: true
# The API endpoint to use for verifying m.login.recaptcha responses.
# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
#
#recaptcha_siteverify_api: "https://my.recaptcha.site"

55
roles/matrix/templates/synapse/config/database.yaml Normal file
View file

@ -0,0 +1,55 @@
## Database ##
# The 'database' setting defines the database that synapse uses to store all of
# its data.
#
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
# 'psycopg2' (for PostgreSQL).
#
# 'args' gives options which are passed through to the database engine,
# except for options starting 'cp_', which are used to configure the Twisted
# connection pool. For a reference to valid arguments, see:
# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
#
#
# Example SQLite configuration:
#
#database:
# name: sqlite3
# args:
# database: /path/to/homeserver.db
#
#
# Example Postgres configuration:
#
#database:
# name: psycopg2
# args:
# user: synapse
# password: secretpassword
# database: synapse
# host: localhost
# cp_min: 5
# cp_max: 10
#
# For more information on using Synapse with Postgres, see `docs/postgres.md`.
#
{% if not matrix__synapse__pg_enable %}
database:
name: sqlite3
args:
database: '{{ matrix__synapse__db_file }}'
{% else %}
database:
name: psycopg2
args:
host: '{{ matrix__synapse__pg_host }}'
port: {{ matrix__synapse__pg_port }}
user: '{{ matrix__synapse__pg_username }}'
password: '{{ matrix__synapse__pg_password }}'
database: '{{ matrix__synapse__pg_database }}'
cp_min: 5
cp_max: 10
{% endif %}

102
roles/matrix/templates/synapse/config/listeners.yaml Normal file
View file

@ -0,0 +1,102 @@
# List of ports that Synapse should listen on, their purpose and their
# configuration.
#
# Options for each listener include:
#
# port: the TCP port to bind to
#
# bind_addresses: a list of local addresses to listen on. The default is
# 'all local interfaces'.
#
# type: the type of listener. Normally 'http', but other valid options are:
# 'manhole' (see docs/manhole.md),
# 'metrics' (see docs/metrics-howto.md),
# 'replication' (see docs/workers.md).
#
# tls: set to true to enable TLS for this listener. Will use the TLS
# key/cert specified in tls_private_key_path / tls_certificate_path.
#
# x_forwarded: Only valid for an 'http' listener. Set to true to use the
# X-Forwarded-For header as the client IP. Useful when Synapse is
# behind a reverse-proxy.
#
# resources: Only valid for an 'http' listener. A list of resources to host
# on this port. Options for each resource are:
#
# names: a list of names of HTTP resources. See below for a list of
# valid resource names.
#
# compress: set to true to enable HTTP comression for this resource.
#
# additional_resources: Only valid for an 'http' listener. A map of
# additional endpoints which should be loaded via dynamic modules.
#
# Valid resource names are:
#
# client: the client-server API (/_matrix/client), and the synapse admin
# API (/_synapse/admin). Also implies 'media' and 'static'.
#
# consent: user consent forms (/_matrix/consent). See
# docs/consent_tracking.md.
#
# federation: the server-server API (/_matrix/federation). Also implies
# 'media', 'keys', 'openid'
#
# keys: the key discovery API (/_matrix/keys).
#
# media: the media API (/_matrix/media).
#
# metrics: the metrics interface. See docs/metrics-howto.md.
#
# openid: OpenID authentication.
#
# replication: the HTTP replication API (/_synapse/replication). See
# docs/workers.md.
#
# static: static resources under synapse/static (/_matrix/static). (Mostly
# useful for 'fallback authentication'.)
#
# webclient: A web client. Requires web_client_location to be set.
#
listeners:
# TLS-enabled listener: for when matrix traffic is sent directly to synapse.
#
# Disabled by default. To enable it, uncomment the following. (Note that you
# will also need to give Synapse a TLS key and certificate: see the TLS section
# below.)
#
#- port: 8448
# type: http
# tls: true
# resources:
# - names: [client, federation]
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
# that unwraps TLS.
#
# If you plan to use a reverse proxy, please see
# https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
#
- port: {{ matrix__synapse__port }}
tls: false
type: http
x_forwarded: true
bind_addresses: ['::1', '127.0.0.1']
resources:
- names: [client, federation]
compress: false
# example additional_resources:
#
#additional_resources:
# "/_matrix/my/custom/endpoint":
# module: my_module.CustomRequestHandler
# config: {}
# Turn on the twisted ssh manhole service on localhost on the given
# port.
#
#- port: 9000
# bind_addresses: ['::1', '127.0.0.1']
# type: manhole

59
roles/matrix/templates/synapse/config/media_store.yaml Normal file
View file

@ -0,0 +1,59 @@
## Media Store ##
# Enable the media store service in the Synapse master. Uncomment the
# following if you are using a separate media store worker.
#
enable_media_repo: false
# Directory where uploaded images and attachments are stored.
#
media_store_path: '{{ matrix__synapse__media_dir }}'
# Media storage providers allow media to be stored in different
# locations.
#
#media_storage_providers:
# - module: file_system
# # Whether to store newly uploaded local files
# store_local: false
# # Whether to store newly downloaded remote files
# store_remote: false
# # Whether to wait for successful storage for local uploads
# store_synchronous: false
# config:
# directory: /mnt/some/other/directory
# The largest allowed upload size in bytes
#
max_upload_size: 100M
# Maximum number of pixels that will be thumbnailed
#
#max_image_pixels: 32M
# Whether to generate new thumbnails on the fly to precisely match
# the resolution requested by the client. If true then whenever
# a new resolution is requested by the client the server will
# generate a new thumbnail. If false the server will pick a thumbnail
# from a precalculated list.
#
#dynamic_thumbnails: false
# List of thumbnails to precalculate when an image is uploaded.
#
#thumbnail_sizes:
# - width: 32
# height: 32
# method: crop
# - width: 96
# height: 96
# method: crop
# - width: 320
# height: 240
# method: scale
# - width: 640
# height: 480
# method: scale
# - width: 800
# height: 600
# method: scale

1752
roles/matrix/templates/synapse/config/other.yaml Normal file
View file

File diff suppressed because it is too large Load diff

29
roles/matrix/templates/synapse/config/turn.yaml Normal file
View file

@ -0,0 +1,29 @@
{}
## TURN ##
# The public URIs of the TURN server to give to clients
#
#turn_uris: []
# The shared secret used to compute passwords for the TURN server
#
#turn_shared_secret: "YOUR_SHARED_SECRET"
# The Username and password if the TURN server needs them and
# does not use a token
#
#turn_username: "TURNSERVER_USERNAME"
#turn_password: "TURNSERVER_PASSWORD"
# How long generated TURN credentials last
#
#turn_user_lifetime: 1h
# Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
#
#turn_allow_guests: true

104
roles/matrix/templates/synapse/config/url_preview.yaml Normal file
View file

@ -0,0 +1,104 @@
# Is the preview URL API enabled?
#
# 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
# specify a list for URL previewing to work. You should specify any
# internal services in your network that you do not want synapse to try
# to connect to, otherwise anyone in any Matrix room could cause your
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
# This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point.
#
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
# target IP ranges - e.g. for enabling URL previews for a specific private
# website only visible in your network.
#
#url_preview_ip_range_whitelist:
# - '192.168.1.1'
# Optional list of URL matches that the URL preview spider is
# denied from accessing. You should use url_preview_ip_range_blacklist
# in preference to this, otherwise someone could define a public DNS
# entry that points to a private IP address and circumvent the blacklist.
# This is more useful if you know there is an entire shape of URL that
# you know that will never want synapse to try to spider.
#
# Each list entry is a dictionary of url component attributes as returned
# by urlparse.urlsplit as applied to the absolute form of the URL. See
# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
# The values of the dictionary are treated as an filename match pattern
# applied to that component of URLs, unless they start with a ^ in which
# case they are treated as a regular expression match. If all the
# specified component matches for a given list item succeed, the URL is
# blacklisted.
#
url_preview_url_blacklist:
# blacklist any URL with a username in its URI
- username: '*'
#
# # blacklist all *.google.com URLs
# - netloc: 'google.com'
# - netloc: '*.google.com'
#
# # blacklist all plain HTTP URLs
# - scheme: 'http'
#
# # blacklist http(s)://www.acme.com/foo
# - netloc: 'www.acme.com'
# path: '/foo'
#
# # blacklist any URL with a literal IPv4 address
# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
# The largest allowed URL preview spidering size in bytes
#
#max_spider_size: 10M
# A list of values for the Accept-Language HTTP header used when
# downloading webpages during URL preview generation. This allows
# Synapse to specify the preferred languages that URL previews should
# be in when communicating with remote servers.
#
# Each value is a IETF language tag; a 2-3 letter identifier for a
# language, optionally followed by subtags separated by '-', specifying
# a country or region variant.
#
# Multiple values can be provided, and a weight can be added to each by
# using quality value syntax (;q=). '*' translates to any language.
#
# Defaults to "en".
#
# Example:
#
# url_preview_accept_language:
# - en-UK
# - en-US;q=0.9
# - fr;q=0.8
# - *;q=0.7
#
url_preview_accept_language:
- ru
- en;q=0.9

35
roles/matrix/templates/synapse/log_config.yml Normal file
View file

@ -0,0 +1,35 @@
# Log configuration for Synapse.
#
# This is a YAML file containing a standard Python logging configuration
# dictionary. See [1] for details on the valid settings.
#
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ''
handlers:
console:
class: logging.StreamHandler
formatter: precise
filters: [context]
loggers:
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [console]
disable_existing_loggers: false

18
roles/matrix/templates/synapse/matrix-synapse.service Normal file
View file

@ -0,0 +1,18 @@
[Unit]
After=network.target
Description=Matrix Synapse
[Service]
ExecStart={{ matrix__synapse__venv_dir }}/bin/synctl --no-daemonize start {{ matrix__synapse__conf_subdir }}
Group={{ matrix__synapse__group }}
Restart=always
RestartSec=1
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier={{ matrix__synapse__service }}
Type=simple
User={{ matrix__synapse__user }}
WorkingDirectory={{ matrix__synapse__opt_dir }}
[Install]
WantedBy=multi-user.target

2
roles/matrix/templates/tmpfiles.d/matrix.conf Normal file
View file

@ -0,0 +1,2 @@
d {{ matrix__run_dir }} 0775 root root
d {{ matrix__synapse__run_dir }} 0775 matrix-synapse matrix-synapse

66
roles/matrix/vars/main.yml Normal file
View file

@ -0,0 +1,66 @@
---
matrix__synapse__user: 'matrix-synapse'
matrix__synapse__group: 'matrix-synapse'
matrix__synapse__service: 'matrix-synapse'
matrix__media_repo__user: 'matrix-media-repo'
matrix__media_repo__group: 'matrix-media-repo'
matrix__media_repo__service: 'matrix-media-repo'
matrix__static__user: 'matrix-static'
matrix__static__group: 'matrix-static'
matrix__static__service: 'matrix-static'
matrix__synapse__port: 8001
matrix__media_repo__port: 8002
matrix__static__port: 8003
matrix__conf_dir: '/etc/matrix'
matrix__opt_dir: '/opt/matrix'
matrix__lib_dir: '/var/lib/matrix'
matrix__run_dir: '/var/run/matrix'
matrix__synapse__conf_dir: '{{ matrix__conf_dir }}/synapse'
matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse'
matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse'
matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse'
matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo'
matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo'
matrix__static__conf_dir: '{{ matrix__conf_dir }}/static'
matrix__static__opt_dir: '{{ matrix__opt_dir }}/static'
matrix__element__opt_dir: '{{ matrix__opt_dir }}/element'
matrix__synapse__conf_subdir: '{{ matrix__synapse__conf_dir }}/config'
matrix__synapse__log_conf_file: '{{ matrix__synapse__conf_dir }}/log_config.yml'
matrix__synapse__key_file: '{{ matrix__synapse__conf_dir }}/signing_key'
matrix__synapse__venv_dir: '{{ matrix__synapse__opt_dir }}/venv'
matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store'
matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db'
matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid'
matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml'
matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz'
matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src'
matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json'
matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz'
matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src'
matrix__static__bin_dir: '{{ matrix__static__opt_dir }}/bin'
matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz'
matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src'
matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json'
matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service'
matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service'
matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service'
matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz'
matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz'
matrix__static__checksum: 'sha256:6de2b7360b2deaef7c011acebd061d6bcdae3799ee40a2f7f371744920aa45eb'
matrix__element__checksum: 'sha256:5e69f862529d429d2d9064de210c16364de48cd38d0ef8ee9a099c096071b5ab'

4
templates/pg_backup Normal file
View file

@ -0,0 +1,4 @@
#!/bin/sh -e
sudo -u postgres sh -e -c "test -d {{ postgresql_backups_dir }} && find {{ postgresql_backups_dir }} -type f -mtime +7 -exec rm {} \;"
sudo -u postgres sh -e -c "mkdir -p {{ postgresql_backups_dir }} && umask 077 && pg_dumpall | gzip > {{ postgresql_backups_dir }}/$(TZ=UTC date +"%Y_%m_%d_%H_%M_%S").gz"