Remove hosts
* matrix.crypto-libertarian.com * postgres.crypto-libertarian.com
This commit is contained in:
parent
222d83b426
commit
b11f609d18
39 changed files with 1 additions and 3984 deletions
|
@ -16,7 +16,7 @@ fi
|
|||
|
||||
extra_opts="--extra-vars admin=$admin"
|
||||
|
||||
for vault_id in kotovalexarian xuhcc postgres matrix
|
||||
for vault_id in kotovalexarian xuhcc
|
||||
do
|
||||
if [ -f "$ROOT/secrets/$vault_id" ]; then
|
||||
extra_opts="$extra_opts --vault-id $vault_id@$ROOT/secrets/$vault_id"
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
common__certbot__post_hook: null
|
||||
common__certbot__pre_hook: null
|
||||
|
||||
common__iptables__drop_by_default: true
|
||||
|
||||
postgresql_backups_dir: '/var/lib/postgresql/backups/12/main'
|
||||
|
||||
postgresql_global_config_options:
|
||||
- option: listen_addresses
|
||||
value: '*'
|
|
@ -1,180 +0,0 @@
|
|||
---
|
||||
ansible_become_pass_for:
|
||||
kotovalexarian: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
|
||||
61643339313266356538643266316138633738616632633531383730383433633030656633383431
|
||||
3335393862333133643030613131636232663434636164650a376464396333323662363037376164
|
||||
38356164613536633139643333383362363531343933363661356532663838656336363166616638
|
||||
3032303434366266330a376439396233363065323135613963633265373435636530646433343036
|
||||
65663336353266323636633339313236353565353431363965303762643766356562313566383031
|
||||
3536363333616139613738336566633937313539623536316666
|
||||
xuhcc: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;xuhcc
|
||||
33613837643333393933646163323464336164353963353039323338366339343137356134353164
|
||||
6135373037323262663461626430376134636433393037360a666435393133653763323834393530
|
||||
38643437613437643939386232393762326536363532376266643034623833316137376233363962
|
||||
3237346330633334630a613565623237616361623635343466303538613066653166316566616233
|
||||
63623962363933656164623338346435346538646364383539383363346666393533
|
||||
|
||||
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
|
||||
|
||||
common__certbot__cert_name: 'matrix.crypto-libertarian.com'
|
||||
common__certbot__cert_domains:
|
||||
- 'matrix.crypto-libertarian.com'
|
||||
- 'element.crypto-libertarian.com'
|
||||
common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
|
||||
common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true'
|
||||
|
||||
common__nginx__state: install
|
||||
common__nginx__remove_default: true
|
||||
|
||||
matrix__site_host: 'crypto-libertarian.com'
|
||||
matrix__base_host: 'matrix.crypto-libertarian.com'
|
||||
matrix__web_host: 'element.crypto-libertarian.com'
|
||||
|
||||
matrix__site_url: 'https://crypto-libertarian.com'
|
||||
matrix__base_url: 'https://matrix.crypto-libertarian.com'
|
||||
matrix__web_url: 'https://element.crypto-libertarian.com'
|
||||
|
||||
matrix__admin_contact: 'mailto:kotovalexarian@gmail.com'
|
||||
matrix__admin_user: '@kotovalexarian:crypto-libertarian.com'
|
||||
|
||||
matrix__nginx__ssl_cert: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/fullchain.pem'
|
||||
matrix__nginx__ssl_key: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/privkey.pem'
|
||||
|
||||
matrix__synapse__pg_enable: true
|
||||
matrix__synapse__pg_host: 'postgres.crypto-libertarian.com'
|
||||
matrix__synapse__pg_username: 'matrix_synapse'
|
||||
matrix__synapse__pg_database: 'matrix_synapse'
|
||||
|
||||
matrix__synapse__pg_password: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
36666361363761366636626266613931326432313530356361643535396534623435393432386135
|
||||
3366346639386430646334333361303565653436343335660a393766303963633761343738663836
|
||||
61636264656534653934663835373934613963326563376435656634326633373263393735613932
|
||||
3164633537313039380a396638626366333639393463376666353534653837313438613435396333
|
||||
66303235616232343966336639313034383964623334663961313234376332333338343961313562
|
||||
3366623965646237633733373165346366333436373139346435
|
||||
|
||||
matrix__synapse__signing_key: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
63353038343038626239333939363961393638343834316163316330376237626339303634613162
|
||||
3934313537333630633931333930343264323639303537390a353532636532626433393132376138
|
||||
35376235366533353763656331343034333431366333643934623537316665663730646532623039
|
||||
3433336635643134300a373334623136396635363530646161323735336230363737333362383235
|
||||
37646636346139366566666339616338346134373766373664316632373061333035643039336665
|
||||
62373562326133653461373763383337623339303832626335396530373162303337313134346265
|
||||
356230363135373266663736326238663931
|
||||
|
||||
matrix__synapse__reg_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
66386664663864336530613438643534666361306331366639393261303933613430333934613833
|
||||
6532383963306639616263616162353339633333343865350a666634323966373066643639616332
|
||||
33346436323230386264343535376161376531376434626563373961636562343533303934363234
|
||||
3033633366663030370a633566336136626138343930386237643736353166626334653364373162
|
||||
63356337363962373331333865616663336634373133633165633833653166373939376231356439
|
||||
63303839386134653333663462613136623937393162373465613233623931643039613339336462
|
||||
346332383032363866643637376563376639
|
||||
|
||||
matrix__synapse__macaroon_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
62653661363330626261303164636665336164383662343462373061356561326338343830306534
|
||||
3339633839333036333561643438346562646636333539650a396565306430653965303765396537
|
||||
63333437633964333236643239633561373332373365663835613437386139383333323364386462
|
||||
6638346532306130620a626563326663333562313464346338626533666237616231666465653239
|
||||
66336332663130623862396636373435303438383066313932653532333337316263613964343165
|
||||
66656639666664323933316339396634613134356336383239353638643730636235633732333764
|
||||
396330653436636161313939646233653834
|
||||
|
||||
matrix__synapse__form_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
30386164303933346363353063653137366636636535393761383930336132396162623835656134
|
||||
6563663236623163613865633638343530336337353261310a636636636639326162633933306131
|
||||
66383137393839396164633638336564356562666462383935373961313964316165343232343839
|
||||
3637623531363435610a356134316431343639336462333838373438323664643235346337663834
|
||||
33366663666563613733386135316665323735626336333039383333313232313862623564643937
|
||||
35643863343836656163653764353035326433653239393034386433663165663066343764613834
|
||||
363666366630653364303235643064303031
|
||||
|
||||
matrix__synapse__recaptcha_public_key: '6LcJ26wZAAAAABVW68GFDaZn0RM1Ros6DUfkND_9'
|
||||
|
||||
matrix__synapse__recaptcha_private_key: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
64663161393264383535653233343433613131393065626564613937306666373932636464383763
|
||||
3464613232333631656535396431643037616636353231660a313936613636666663633437353530
|
||||
34613433306136373131363862313161656637373936366163313966643762656136376331306133
|
||||
3932306230633030340a633639643332313765333963356131376238313762343130303065613533
|
||||
32363433373132623431663763646434353666333837663738363766383566313463313139623939
|
||||
3330643537663461333330336266396531363763376236643061
|
||||
|
||||
matrix__media_repo__postgres: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
32343261616564383739383139636636306637616137366138623032303963363532326563303438
|
||||
6263636534386534643539386138313965663533623935340a366531316136653131646137353566
|
||||
30623962613061323939313230326433636330356436626366363464353762303832393332396536
|
||||
3564376330383237310a643338663061636662343662346137333039636230666137656537383336
|
||||
66383635323464623663303032303532393639313361646231323436613065373565623239376366
|
||||
36613233626465376230646138356135636662663965373061616433656665356135616337386236
|
||||
61316463386265336236346636626465353166373833336534343536313437306164663965646162
|
||||
39353733353533353533306434353539383463346563656433313532376632343935653036393437
|
||||
63386539326464346261393666326132383034623264663431313465343636376433343535356432
|
||||
31633835356235376462656635383931363339353138353537326633393261313464383332393738
|
||||
643434393863366439623237653737353439
|
||||
|
||||
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
||||
matrix__media_repo__s3_bucket: 'crypto-libertarian-matrix-media-repo'
|
||||
|
||||
matrix__media_repo__s3_access_key: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
35326162306233313937646565623563636538376464643739313462323535393366363262323565
|
||||
3465623639303935623461336230646439663839343331320a663635343239366366623062346630
|
||||
37626332323965383738366532313665383564366132383530613762643836333831393735666438
|
||||
6132393437343464390a336339383439326338646137356634333534636236326438646433353965
|
||||
63376165363038326337346139303961373565346265393836396439656131633263
|
||||
|
||||
matrix__media_repo__s3_access_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
36316562306261323138663361353762393736343765346435633631353734663765343638383265
|
||||
3132383663393161306464386336396265363962313764320a653862343933666461666134383434
|
||||
38623661326462303962376535373862303235353131363361633736336231336536633338643233
|
||||
3539663031633038360a316433343432663865393738366633376235653839326232663134303931
|
||||
65363837313464616536333934353062353962363365353831623234363939636333616634323832
|
||||
3466656664353839333966643333336432303435663232646664
|
||||
|
||||
matrix__static__user_id: '@1:crypto-libertarian.com'
|
||||
|
||||
matrix__static__access_token: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||
66626138616337666537383562623139356364633837376133326235396662306330663666336333
|
||||
6538623736613538373235623866333066396539396138320a316363393664363332353138386261
|
||||
34313935326433623763656433326533323233623738313063623938336664663230623033373032
|
||||
3831393536313235300a313935313636353762346437633366336433343666383630373232616338
|
||||
35346636343137356530373538303437306461393663393862356666326430363339333739653434
|
||||
65343963653731626133343636633035393661373634373066633165356566623538663862376662
|
||||
36343865643637306432656563626566666362393737666461316435666664323735323439653839
|
||||
65353937393265356264316238356636376635356263623364363564616234616330646638323635
|
||||
30326436656366336562393332386565616338643565316637343336663133373532636634323932
|
||||
30333566363866313432366164613537353230356630383830653463623233316539326337316638
|
||||
39356663343938356266373162333166366437303033643366313137323332643938626266303165
|
||||
31636662663937613638366433316433393662386637623331383761393866336234633332306434
|
||||
65363063636562633762373232323639393435623765376265613638616265353363636439373537
|
||||
66633335303564656637653933363730366462363164306334386166663534333738356266626439
|
||||
63393336333666616335656566653835393163656430333631386364396364313666333833633932
|
||||
31663530646237376630366632336661316561336233636637333761363739343639363536626665
|
||||
39376636373630383034393966316335363138643334396432346638633865383435313139663937
|
||||
31336165666466613733326135656433633461653237396533643237353463363665646338663164
|
||||
63316430663163303434346233316464386634623836373664336366313961353963663632666362
|
||||
64626636376466333139
|
||||
|
||||
common__iptables__drop_by_default: true
|
||||
|
||||
common__iptables__v4_filter: |
|
||||
# Allow incoming HTTP, HTTPS, Matrix.
|
||||
-A INPUT -p tcp -m multiport --dport 80,443,8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --sport 80,443,8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# Deny other HTTP, HTTPS, Matrix.
|
||||
-A INPUT -p tcp -m multiport --dport 80,443,8448 -j REJECT
|
||||
-A OUTPUT -p tcp -m multiport --sport 80,443,8448 -j REJECT
|
||||
|
||||
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'
|
|
@ -1,155 +0,0 @@
|
|||
---
|
||||
ansible_become_pass_for:
|
||||
kotovalexarian: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;kotovalexarian
|
||||
61623634613531666632363233346539303131313038666132643464313263356162616661336339
|
||||
6437356339396139346435636462613163396332313135620a383962643839393764616130663264
|
||||
39363331653837376434613266623331333563343264383365336234666230633334313338623938
|
||||
3562303035333732360a393931353339653539323732316137363532316234306461393265633763
|
||||
64343336303765646239386265306435323230303764376439346530646138323137333461383766
|
||||
3534613339653530643635316531356166313735623339613937
|
||||
xuhcc: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;xuhcc
|
||||
33343933353961653437653139333435306663383434646339353763303530353731383438653337
|
||||
3531393762396135366332396632653036346333623133650a306162326438333931303862383330
|
||||
39626564333130623731343339663764643632323566393734346565353934656561386462326434
|
||||
6538303365386631640a366330333135313464333962313638643465613836643037323833626131
|
||||
39623562376439376665636537396339613462356131343763323437623334323463
|
||||
|
||||
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
|
||||
|
||||
common__certbot__cert_name: 'postgres.crypto-libertarian.com'
|
||||
common__certbot__cert_domains:
|
||||
- 'postgres.crypto-libertarian.com'
|
||||
|
||||
postgresql_users:
|
||||
- name: matrix_synapse
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;postgres
|
||||
65363838636633623362663839303333346337646138333862373831343162343161356435336565
|
||||
3032626439376630656338373464376463663935366134660a316136373261303331633836633937
|
||||
30646533386163313136656138633437386366616234383265366261346636396130626333333235
|
||||
3264356332336461320a323065616231663165613737646566336434663862306333393465366261
|
||||
33373533393361356664343337353861313334623136353138643834336236306662383032316432
|
||||
3336623036373964313036633434626239396139336666393361
|
||||
- name: matrix_media_repo
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;postgres
|
||||
39386236643763333734653936616466376334636166646133653335626365373039356262376161
|
||||
3439353138643533613166333562663134666539653431340a636231353663633033363034643232
|
||||
63393063346332353765343961383730633266613532656234336266623538376332636361353932
|
||||
6634626266333033330a626536333161663239353831306466323038373961663132306334386437
|
||||
64376231643964363935633531643938616430396664393237613361626465373536643339656566
|
||||
6233663734316163386434343332346364363362653934363162
|
||||
|
||||
postgresql_databases:
|
||||
- name: matrix_synapse
|
||||
owner: matrix_synapse
|
||||
lc_collate: C
|
||||
lc_ctype: C
|
||||
- name: matrix_media_repo
|
||||
owner: matrix_media_repo
|
||||
lc_collate: C
|
||||
lc_ctype: C
|
||||
|
||||
postgresql_hba_entries:
|
||||
- type: local
|
||||
database: all
|
||||
user: all
|
||||
auth_method: peer
|
||||
|
||||
- type: host
|
||||
database: all
|
||||
user: all
|
||||
address: '127.0.0.1/32'
|
||||
auth_method: md5
|
||||
|
||||
- type: host
|
||||
database: all
|
||||
user: all
|
||||
address: '::1/128'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_synapse
|
||||
user: matrix_synapse
|
||||
address: '134.209.196.172/32'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_synapse
|
||||
user: matrix_synapse
|
||||
address: '2a03:b0c0:2:f0::142:3001/128'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_synapse
|
||||
user: matrix_synapse
|
||||
address: '10.133.8.214/32'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_media_repo
|
||||
user: matrix_media_repo
|
||||
address: '134.209.196.172/32'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_media_repo
|
||||
user: matrix_media_repo
|
||||
address: '2a03:b0c0:2:f0::142:3001/128'
|
||||
auth_method: md5
|
||||
|
||||
- type: hostssl
|
||||
database: matrix_media_repo
|
||||
user: matrix_media_repo
|
||||
address: '10.133.8.214/32'
|
||||
auth_method: md5
|
||||
|
||||
- type: host
|
||||
database: all
|
||||
user: all
|
||||
address: '0.0.0.0/0'
|
||||
auth_method: reject
|
||||
|
||||
- type: host
|
||||
database: all
|
||||
user: all
|
||||
address: '::/0'
|
||||
auth_method: reject
|
||||
|
||||
common__iptables__v4_filter: |
|
||||
# Allow incoming HTTP for Certbot to work.
|
||||
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# Deny other HTTP.
|
||||
-A INPUT -p tcp --dport 80 -j REJECT
|
||||
-A OUTPUT -p tcp --dport 80 -j REJECT
|
||||
|
||||
# Allow incoming PostgreSQL from specific hosts.
|
||||
-A INPUT -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p tcp --dport 5432 -s 10.133.8.214/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# Deny other PostgreSQL.
|
||||
-A INPUT -p tcp --dport 5432 -j REJECT
|
||||
-A OUTPUT -p tcp --sport 5432 -j REJECT
|
||||
|
||||
common__iptables__v6_filter: |
|
||||
# Allow incoming HTTP for Certbot to work.
|
||||
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# Deny other HTTP.
|
||||
-A INPUT -p tcp --dport 80 -j REJECT
|
||||
-A OUTPUT -p tcp --dport 80 -j REJECT
|
||||
|
||||
# Allow incoming PostgreSQL from specific hosts.
|
||||
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# Deny other PostgreSQL.
|
||||
-A INPUT -p tcp --dport 5432 -j REJECT
|
||||
-A OUTPUT -p tcp --sport 5432 -j REJECT
|
5
hosts
5
hosts
|
@ -1,6 +1 @@
|
|||
git.crypto-libertarian.com
|
||||
matrix.crypto-libertarian.com
|
||||
postgres.crypto-libertarian.com
|
||||
|
||||
[postgres]
|
||||
postgres.crypto-libertarian.com
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
- hosts: postgres
|
||||
tasks:
|
||||
- name: Find PostgreSQL dumps
|
||||
find:
|
||||
paths: '{{ postgresql_backups_dir }}'
|
||||
register: postgresql_dumps
|
||||
|
||||
- name: Fetch PostgreSQL dumps
|
||||
fetch:
|
||||
src: '{{ item }}'
|
||||
dest: ../../backups
|
||||
with_items: "{{ postgresql_dumps.files | map(attribute='path') | list }}"
|
|
@ -1,3 +1,2 @@
|
|||
---
|
||||
- import_playbook: git.yml
|
||||
- import_playbook: postgres.yml
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- hosts: matrix.crypto-libertarian.com
|
||||
module_defaults:
|
||||
apt:
|
||||
force_apt_get: true
|
||||
update_cache: true
|
||||
cache_valid_time: 86400
|
||||
roles:
|
||||
- name: kotovalexarian.common
|
||||
tags: common
|
||||
- ../../roles/matrix
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
- hosts: postgres
|
||||
module_defaults:
|
||||
apt:
|
||||
force_apt_get: true
|
||||
update_cache: true
|
||||
cache_valid_time: 86400
|
||||
roles:
|
||||
- name: kotovalexarian.common
|
||||
tags: common
|
||||
- geerlingguy.postgresql
|
||||
tasks:
|
||||
- name: Create daily Cron job for PostgreSQL backup
|
||||
template:
|
||||
src: ../../templates/pg_backup
|
||||
dest: /etc/cron.daily/pg_backup
|
||||
mode: 'u=rwx,g=rx,o=rx'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,4 +1,2 @@
|
|||
---
|
||||
- import_playbook: git.yml
|
||||
- import_playbook: postgres.yml
|
||||
- import_playbook: matrix.yml
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
---
|
||||
- src: kotovalexarian.common
|
||||
version: v0.0.45
|
||||
- src: geerlingguy.postgresql
|
||||
version: 2.2.1
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
matrix__site_host: 'example.com'
|
||||
matrix__base_host: 'matrix.example.com'
|
||||
matrix__web_host: 'element.example.com'
|
||||
|
||||
matrix__site_url: 'https://example.com'
|
||||
matrix__base_url: 'https://matrix.example.com'
|
||||
matrix__web_url: 'https://element.example.com'
|
||||
|
||||
matrix__admin_contact: 'mailto:user@example.com'
|
||||
matrix__admin_user: '@user:example.com'
|
||||
|
||||
matrix__base_ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem'
|
||||
matrix__web_ssl_cert: '/etc/letsencrypt/live/element.example.com/fullchain.pem'
|
||||
|
||||
matrix__base_ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem'
|
||||
matrix__web_ssl_key: '/etc/letsencrypt/live/element.example.com/privkey.pem'
|
||||
|
||||
matrix__synapse__pg_enable: false
|
||||
matrix__synapse__pg_host: 'postgres.example.com'
|
||||
matrix__synapse__pg_port: 5432
|
||||
matrix__synapse__pg_username: ''
|
||||
matrix__synapse__pg_password: ''
|
||||
matrix__synapse__pg_database: ''
|
||||
|
||||
matrix__synapse__signing_key: ''
|
||||
matrix__synapse__reg_secret: ''
|
||||
matrix__synapse__macaroon_secret: ''
|
||||
matrix__synapse__form_secret: ''
|
||||
|
||||
matrix__synapse__recaptcha_public_key: ''
|
||||
matrix__synapse__recaptcha_private_key: ''
|
||||
|
||||
matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
|
||||
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
||||
matrix__media_repo__s3_access_key: ''
|
||||
matrix__media_repo__s3_access_secret: ''
|
||||
matrix__media_repo__s3_bucket: 'example-matrix-media-repo'
|
||||
|
||||
matrix__static__user_id: ''
|
||||
matrix__static__access_token: ''
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
- name: Restart Nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: Load, enable and restart Matrix Synapse
|
||||
systemd:
|
||||
name: '{{ matrix__synapse__service }}'
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
state: restarted
|
||||
|
||||
- name: Load, enable and restart Matrix Media Repo
|
||||
systemd:
|
||||
name: '{{ matrix__media_repo__service }}'
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
state: restarted
|
||||
|
||||
- name: Load, enable and restart Matrix Static
|
||||
systemd:
|
||||
name: '{{ matrix__static__service }}'
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
state: restarted
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
- name: Create Matrix directories
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,g=rwx,o=rx'
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- '{{ matrix__conf_dir }}'
|
||||
- '{{ matrix__opt_dir }}'
|
||||
- '{{ matrix__lib_dir }}'
|
||||
- '{{ matrix__run_dir }}'
|
||||
|
||||
- name: Recreate Matrix rundirs
|
||||
template:
|
||||
src: '../templates/tmpfiles.d/matrix.conf'
|
||||
dest: '/etc/tmpfiles.d/matrix.conf'
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
- name: Create Matrix Element directories
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,g=rwx,o=rx'
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- '{{ matrix__element__opt_dir }}'
|
||||
- '{{ matrix__element__src_dir }}'
|
||||
|
||||
- name: Get Matrix Element source code
|
||||
get_url:
|
||||
url: '{{ matrix__element__url }}'
|
||||
checksum: '{{ matrix__element__checksum }}'
|
||||
dest: '{{ matrix__element__archive_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Extract Matrix Element source code
|
||||
unarchive:
|
||||
remote_src: true
|
||||
src: '{{ matrix__element__archive_file }}'
|
||||
dest: '{{ matrix__element__src_dir }}'
|
||||
creates: '{{ matrix__element__src_dir }}/index.html'
|
||||
extra_opts:
|
||||
- '--strip-components=1'
|
||||
|
||||
- name: Create Matrix Element config
|
||||
template:
|
||||
src: '../templates/element/config.json'
|
||||
dest: '{{ matrix__element__conf_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
- include_tasks: common.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- include_tasks: nginx.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- include_tasks: synapse.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- include_tasks: media_repo.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- include_tasks: static.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- include_tasks: element.yml
|
||||
- meta: flush_handlers
|
|
@ -1,66 +0,0 @@
|
|||
---
|
||||
- name: Install system packages for Matrix Media Repo
|
||||
apt:
|
||||
name: golang
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Create Matrix Media Repo system group
|
||||
group:
|
||||
name: '{{ matrix__media_repo__group }}'
|
||||
system: true
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Create Matrix Media Repo system user
|
||||
user:
|
||||
name: '{{ matrix__media_repo__user }}'
|
||||
group: '{{ matrix__media_repo__group }}'
|
||||
system: true
|
||||
create_home: true
|
||||
home: '{{ matrix__media_repo__lib_dir }}'
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Create Matrix Media Repo directories
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,g=rwx,o=rx'
|
||||
owner: '{{ matrix__media_repo__user }}'
|
||||
group: '{{ matrix__media_repo__group }}'
|
||||
with_items:
|
||||
- '{{ matrix__media_repo__conf_dir }}'
|
||||
- '{{ matrix__media_repo__opt_dir }}'
|
||||
- '{{ matrix__media_repo__src_dir }}'
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Create Matrix Media Repo config
|
||||
template:
|
||||
src: '../templates/media_repo/config.yaml'
|
||||
dest: '{{ matrix__media_repo__conf_file }}'
|
||||
mode: 'u=rw,g=rw,o='
|
||||
owner: '{{ matrix__media_repo__user }}'
|
||||
group: '{{ matrix__media_repo__group }}'
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Create Matrix Media Repo systemd service
|
||||
template:
|
||||
src: '../templates/media_repo/matrix-media-repo.service'
|
||||
dest: '{{ matrix__media_repo__service_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Load, enable and restart Matrix Media Repo
|
||||
|
||||
- name: Get Matrix Media Repo source code
|
||||
become_user: '{{ matrix__media_repo__user }}'
|
||||
git:
|
||||
repo: 'https://github.com/turt2live/matrix-media-repo.git'
|
||||
dest: '{{ matrix__media_repo__src_dir }}'
|
||||
version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
|
||||
|
||||
- name: Build Matrix Media Repo source code
|
||||
become_user: '{{ matrix__media_repo__user }}'
|
||||
command:
|
||||
chdir: '{{ matrix__media_repo__src_dir }}'
|
||||
creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo'
|
||||
cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh'
|
||||
notify: Load, enable and restart Matrix Media Repo
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
- name: Create Nginx server configuration
|
||||
template:
|
||||
src: '../templates/nginx/matrix.conf'
|
||||
dest: '/etc/nginx/sites-available/matrix.conf'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Restart Nginx
|
||||
|
||||
- name: Enable Nginx server configuration
|
||||
file:
|
||||
state: link
|
||||
src: '/etc/nginx/sites-available/matrix.conf'
|
||||
dest: '/etc/nginx/sites-enabled/matrix.conf'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Restart Nginx
|
|
@ -1,108 +0,0 @@
|
|||
---
|
||||
- name: Install system packages for Matrix Static
|
||||
apt:
|
||||
name: golang
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Create Matrix Static system group
|
||||
group:
|
||||
name: '{{ matrix__static__group }}'
|
||||
system: true
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Create Matrix Static system user
|
||||
user:
|
||||
name: '{{ matrix__static__user }}'
|
||||
group: '{{ matrix__static__group }}'
|
||||
system: true
|
||||
create_home: false
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Create Matrix Static directories
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,g=rwx,o=rx'
|
||||
owner: '{{ matrix__static__user }}'
|
||||
group: '{{ matrix__static__group }}'
|
||||
with_items:
|
||||
- '{{ matrix__static__conf_dir }}'
|
||||
- '{{ matrix__static__opt_dir }}'
|
||||
- '{{ matrix__static__src_dir }}'
|
||||
- '{{ matrix__static__bin_dir }}'
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Create Matrix Static config
|
||||
template:
|
||||
src: '../templates/static/config.json'
|
||||
dest: '{{ matrix__static__conf_file }}'
|
||||
mode: 'u=rw,g=rw,o='
|
||||
owner: '{{ matrix__static__user }}'
|
||||
group: '{{ matrix__static__group }}'
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Create Matrix Static systemd service
|
||||
template:
|
||||
src: '../templates/static/matrix-static.service'
|
||||
dest: '{{ matrix__static__service_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Load, enable and restart Matrix Static
|
||||
|
||||
- name: Get Matrix Static source code
|
||||
get_url:
|
||||
url: '{{ matrix__static__url }}'
|
||||
checksum: '{{ matrix__static__checksum }}'
|
||||
dest: '{{ matrix__static__archive_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: '{{ matrix__static__user }}'
|
||||
group: '{{ matrix__static__group }}'
|
||||
|
||||
- name: Extract Matrix Static source code
|
||||
become_user: '{{ matrix__static__user }}'
|
||||
unarchive:
|
||||
remote_src: true
|
||||
src: '{{ matrix__static__archive_file }}'
|
||||
dest: '{{ matrix__static__src_dir }}'
|
||||
creates: '{{ matrix__static__src_dir }}/README.md'
|
||||
extra_opts:
|
||||
- '--strip-components=1'
|
||||
|
||||
- name: Get Quicktemplate source code
|
||||
become_user: '{{ matrix__static__user }}'
|
||||
git:
|
||||
repo: 'https://github.com/valyala/quicktemplate.git'
|
||||
dest: '{{ matrix__static__opt_dir }}/go-quicktemplate'
|
||||
version: '1a0f4e9691adbb86df52cb2dd9adafa6a28585a0'
|
||||
|
||||
- name: Install Quicktemplate
|
||||
become_user: '{{ matrix__static__user }}'
|
||||
command:
|
||||
chdir: '{{ matrix__static__opt_dir }}/go-quicktemplate/qtc'
|
||||
creates: '{{ matrix__static__opt_dir }}/go/bin/qtc'
|
||||
cmd: 'go install .'
|
||||
environment:
|
||||
GOPATH: '{{ matrix__static__opt_dir }}/go'
|
||||
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
|
||||
|
||||
- name: Run Go executable qtc
|
||||
become_user: '{{ matrix__static__user }}'
|
||||
command:
|
||||
chdir: '{{ matrix__static__src_dir }}'
|
||||
creates: '{{ matrix__static__src_dir }}/templates/basepage.qtpl.go'
|
||||
cmd: '{{ matrix__static__opt_dir }}/go/bin/qtc'
|
||||
environment:
|
||||
GOPATH: '{{ matrix__static__opt_dir }}/go'
|
||||
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
|
||||
|
||||
- name: Build Matrix Static source code
|
||||
become_user: '{{ matrix__static__user }}'
|
||||
command:
|
||||
chdir: '{{ matrix__static__src_dir }}'
|
||||
creates: '{{ matrix__static__bin_dir }}/matrix-static'
|
||||
cmd: 'go build -o {{ matrix__static__bin_dir }} ./cmd/...'
|
||||
environment:
|
||||
GOPATH: '{{ matrix__static__opt_dir }}/go'
|
||||
GOCACHE: '{{ matrix__static__opt_dir }}/go-cache'
|
||||
notify: Load, enable and restart Matrix Static
|
|
@ -1,145 +0,0 @@
|
|||
---
|
||||
- name: Install system packages for Matrix Synapse
|
||||
apt:
|
||||
name:
|
||||
- build-essential
|
||||
- libffi-dev
|
||||
- libjpeg-dev
|
||||
- libpq-dev
|
||||
- libpq5
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
- sqlite3
|
||||
- virtualenv
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse system group
|
||||
group:
|
||||
name: '{{ matrix__synapse__group }}'
|
||||
system: true
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse system user
|
||||
user:
|
||||
name: '{{ matrix__synapse__user }}'
|
||||
group: '{{ matrix__synapse__group }}'
|
||||
system: true
|
||||
create_home: false
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse directories
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,g=rwx,o=rx'
|
||||
owner: '{{ matrix__synapse__user }}'
|
||||
group: '{{ matrix__synapse__group }}'
|
||||
with_items:
|
||||
- '{{ matrix__synapse__conf_dir }}'
|
||||
- '{{ matrix__synapse__conf_subdir }}'
|
||||
- '{{ matrix__synapse__opt_dir }}'
|
||||
- '{{ matrix__synapse__lib_dir }}'
|
||||
- '{{ matrix__synapse__run_dir }}'
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse config
|
||||
template:
|
||||
src: '../templates/synapse/config/{{ item }}.yaml'
|
||||
dest: '{{ matrix__synapse__conf_subdir }}/{{ item }}.yaml'
|
||||
mode: 'u=rw,g=rw,o='
|
||||
owner: '{{ matrix__synapse__user }}'
|
||||
group: '{{ matrix__synapse__group }}'
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
with_items:
|
||||
- other
|
||||
- database
|
||||
- acme
|
||||
- listeners
|
||||
- url_preview
|
||||
- captcha
|
||||
- turn
|
||||
- media_store
|
||||
|
||||
- name: Create Matrix Synapse log config
|
||||
template:
|
||||
src: '../templates/synapse/log_config.yml'
|
||||
dest: '{{ matrix__synapse__log_conf_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: '{{ matrix__synapse__user }}'
|
||||
group: '{{ matrix__synapse__group }}'
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse signing key
|
||||
copy:
|
||||
content: "{{ matrix__synapse__signing_key }}\n"
|
||||
dest: '{{ matrix__synapse__key_file }}'
|
||||
mode: 'u=rw,g=rw,o='
|
||||
owner: '{{ matrix__synapse__user }}'
|
||||
group: '{{ matrix__synapse__group }}'
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Python virtual env
|
||||
become_user: '{{ matrix__synapse__user }}'
|
||||
command:
|
||||
argv:
|
||||
- 'virtualenv'
|
||||
- '{{ matrix__synapse__venv_dir }}'
|
||||
- '-p'
|
||||
- 'python3'
|
||||
creates: '{{ matrix__synapse__venv_dir }}'
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Check Python packages
|
||||
command:
|
||||
argv:
|
||||
- '{{ matrix__synapse__venv_dir }}/bin/pip'
|
||||
- 'show'
|
||||
- '{{ item }}'
|
||||
with_items:
|
||||
- 'matrix-synapse'
|
||||
- 'lxml'
|
||||
- 'netaddr'
|
||||
- 'pip'
|
||||
- 'psycopg2'
|
||||
- 'setuptools'
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
register: packages_info
|
||||
|
||||
- name: Upgrade Python packages
|
||||
become_user: '{{ matrix__synapse__user }}'
|
||||
command:
|
||||
argv:
|
||||
- '{{ matrix__synapse__venv_dir }}/bin/pip'
|
||||
- 'install'
|
||||
- '--upgrade'
|
||||
- 'pip'
|
||||
- 'setuptools'
|
||||
when: packages_info | json_query('results[*].rc') | difference([0]) != []
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Install Python packages
|
||||
become_user: '{{ matrix__synapse__user }}'
|
||||
command:
|
||||
argv:
|
||||
- '{{ matrix__synapse__venv_dir }}/bin/pip'
|
||||
- 'install'
|
||||
- 'matrix-synapse'
|
||||
- 'lxml'
|
||||
- 'netaddr'
|
||||
- 'psycopg2'
|
||||
when: packages_info | json_query('results[*].rc') | difference([0]) != []
|
||||
notify: Load, enable and restart Matrix Synapse
|
||||
|
||||
- name: Create Matrix Synapse systemd service
|
||||
template:
|
||||
src: '../templates/synapse/matrix-synapse.service'
|
||||
dest: '{{ matrix__synapse__service_file }}'
|
||||
mode: 'u=rw,g=rw,o=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Load, enable and restart Matrix Synapse
|
|
@ -1,59 +0,0 @@
|
|||
{
|
||||
"default_server_config": {
|
||||
"m.homeserver": {
|
||||
"base_url": "https://matrix-client.matrix.org",
|
||||
"server_name": "matrix.org"
|
||||
},
|
||||
"m.identity_server": {
|
||||
"base_url": "https://vector.im"
|
||||
}
|
||||
},
|
||||
"disable_custom_urls": false,
|
||||
"disable_guests": false,
|
||||
"disable_login_language_selector": false,
|
||||
"disable_3pid_login": false,
|
||||
"brand": "Element",
|
||||
"integrations_ui_url": "https://scalar.vector.im/",
|
||||
"integrations_rest_url": "https://scalar.vector.im/api",
|
||||
"integrations_widgets_urls": [
|
||||
"https://scalar.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar.vector.im/api",
|
||||
"https://scalar-staging.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar-staging.vector.im/api",
|
||||
"https://scalar-staging.riot.im/scalar/api"
|
||||
],
|
||||
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
|
||||
"defaultCountryCode": "GB",
|
||||
"showLabsSettings": false,
|
||||
"features": {
|
||||
"feature_new_spinner": "labs",
|
||||
"feature_pinning": "labs",
|
||||
"feature_custom_status": "labs",
|
||||
"feature_custom_tags": "labs",
|
||||
"feature_state_counters": "labs"
|
||||
},
|
||||
"default_federate": true,
|
||||
"default_theme": "light",
|
||||
"roomDirectory": {
|
||||
"servers": [
|
||||
"matrix.org"
|
||||
]
|
||||
},
|
||||
"welcomeUserId": "@riot-bot:matrix.org",
|
||||
"piwik": {
|
||||
"url": "https://piwik.riot.im/",
|
||||
"whitelistedHSUrls": ["https://matrix.org"],
|
||||
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
|
||||
"siteId": 1
|
||||
},
|
||||
"enable_presence_by_hs_url": {
|
||||
"https://matrix.org": false,
|
||||
"https://matrix-client.matrix.org": false
|
||||
},
|
||||
"settingDefaults": {
|
||||
"breadcrumbs": true
|
||||
},
|
||||
"jitsi": {
|
||||
"preferredDomain": "jitsi.riot.im"
|
||||
}
|
||||
}
|
|
@ -1,539 +0,0 @@
|
|||
# General repo configuration
|
||||
repo:
|
||||
bindAddress: '127.0.0.1'
|
||||
port: {{ matrix__media_repo__port }}
|
||||
|
||||
# Where to store the logs, relative to where the repo is started from. Logs will be automatically
|
||||
# rotated every day and held for 14 days. To disable the repo logging to files, set this to
|
||||
# "-" (including quotation marks).
|
||||
#
|
||||
# Note: to change the log directory you'll have to restart the repository. This setting cannot be
|
||||
# live reloaded.
|
||||
logDirectory: '-'
|
||||
|
||||
# If true, the media repo will accept any X-Forwarded-For header without validation. In most cases
|
||||
# this option should be left as "false". Note that the media repo already expects an X-Forwarded-For
|
||||
# header, but validates it to ensure the IP being given makes sense.
|
||||
trustAnyForwardedAddress: false
|
||||
|
||||
# If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies.
|
||||
# Typically this should remain as true, though in some circumstances it may need to be disabled.
|
||||
# See https://github.com/turt2live/matrix-media-repo/issues/202 for more information.
|
||||
useForwardedHost: true
|
||||
|
||||
# Options for dealing with federation
|
||||
federation:
|
||||
# On a per-host basis, the number of consecutive failures in calling the host before the
|
||||
# media repo will back off. This defaults to 20 if not given. Note that 404 errors from
|
||||
# the remote server do not count towards this.
|
||||
backoffAt: 20
|
||||
|
||||
# The database configuration for the media repository
|
||||
# Do NOT put your homeserver's existing database credentials here. Create a new database and
|
||||
# user instead. Using the same server is fine, just not the same username and database.
|
||||
database:
|
||||
# Currently only "postgres" is supported.
|
||||
postgres: "{{ matrix__media_repo__postgres }}"
|
||||
|
||||
# The database pooling options
|
||||
pool:
|
||||
# The maximum number of connects to hold open. More of these allow for more concurrent
|
||||
# processes to happen.
|
||||
maxConnections: 25
|
||||
|
||||
# The maximum number of connects to leave idle. More of these reduces the time it takes
|
||||
# to serve requests in low-traffic scenarios.
|
||||
maxIdleConnections: 5
|
||||
|
||||
# The configuration for the homeservers this media repository is known to control. Servers
|
||||
# not listed here will not be able to upload media.
|
||||
homeservers:
|
||||
-
|
||||
# This should match the server_name of your homeserver, and the Host header
|
||||
# provided to the media repo.
|
||||
name: "{{ matrix__site_host }}"
|
||||
|
||||
# The base URL to where the homeserver can actually be reached
|
||||
csApi: "{{ matrix__base_url }}"
|
||||
|
||||
# The number of consecutive failures in calling this homeserver before the
|
||||
# media repository will start backing off. This defaults to 10 if not given.
|
||||
backoffAt: 10
|
||||
|
||||
# The kind of admin API the homeserver supports. If set to "matrix",
|
||||
# the media repo will use the Synapse-defined endpoints under the
|
||||
# unstable client-server API. When this is "synapse", the new /_synapse
|
||||
# endpoints will be used instead. Unknown values are treated as the
|
||||
# default, "matrix".
|
||||
adminApiKind: 'matrix'
|
||||
|
||||
# Options for controlling how access tokens work with the media repo. It is recommended that if
|
||||
# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints
|
||||
# be proxied through this process. They will also be called on the homeserver, and the response
|
||||
# sent straight through the client - they are simply used to invalidate the cache faster for
|
||||
# a particular user. Without these, the access tokens might still work for a short period of time
|
||||
# after the user has already invalidated them.
|
||||
#
|
||||
# This will also cache errors from the homeserver.
|
||||
#
|
||||
# Note that when this config block is used outside of a per-domain config, all hosts will be
|
||||
# subject to the same cache. This also means that application services on limited homeservers
|
||||
# could be authorized on the wrong domain.
|
||||
#
|
||||
# ***************************************************************************
|
||||
# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. *
|
||||
# ***************************************************************************
|
||||
accessTokens:
|
||||
# The maximum time a cached access token will be considered valid. Set to zero (the default)
|
||||
# to disable the cache and constantly hit the homeserver. This is recommended to be set to
|
||||
# 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and
|
||||
# zero for servers who do not proxy the endpoints through.
|
||||
maxCacheTimeSeconds: 0
|
||||
|
||||
# Whether or not to use the `appservices` config option below. If disabled (the default),
|
||||
# the regular access token cache will be used for each user, potentially leading to high
|
||||
# memory usage.
|
||||
useLocalAppserviceConfig: false
|
||||
|
||||
# The application services (and their namespaces) registered on the homeserver. Only used
|
||||
# if `useLocalAppserviceConfig` is enabled (recommended).
|
||||
#
|
||||
# Usually the appservice will provide you with these config details - they'll just need
|
||||
# translating from the appservice registration to here. Note that this does not require
|
||||
# all options from the registration, and only requires the bare minimum required to run
|
||||
# the media repo.
|
||||
appservices:
|
||||
- id: Name_of_appservice_for_your_reference
|
||||
asToken: Secret_token_for_appservices_to_use
|
||||
senderUserId: '@_example_bridge:yourdomain.com'
|
||||
userNamespaces:
|
||||
- regex: '@_example_bridge_.+:yourdomain.com'
|
||||
# A note about regexes: it is best to suffix *all* namespaces with the homeserver
|
||||
# domain users are valid for, as otherwise the appservice can use any user with
|
||||
# any domain name it feels like, even if that domain is not configured with the
|
||||
# media repo. This will lead to inaccurate reporting in the case of the media
|
||||
# repo, and potentially leading to media being considered "remote".
|
||||
|
||||
# These users have full access to the administrative functions of the media repository.
|
||||
# See docs/admin.md for information on what these people can do. They must belong to one of the
|
||||
# configured homeservers above.
|
||||
admins:
|
||||
- "{{ matrix__admin_user }}"
|
||||
|
||||
# Shared secret auth is useful for applications building on top of the media repository, such
|
||||
# as a management interface. The `token` provided here is treated as a repository administrator
|
||||
# when shared secret auth is enabled: if the `token` is used in place of an access token, the'
|
||||
# request will be authorized. This is not limited to any particular domain, giving applications
|
||||
# the ability to use it on any configured hostname.
|
||||
sharedSecretAuth:
|
||||
# Set this to true to enable shared secret auth.
|
||||
enabled: false
|
||||
|
||||
# Use a secure value here to prevent unauthorized access to the media repository.
|
||||
token: 'PutSomeRandomSecureValueHere'
|
||||
|
||||
# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
|
||||
# thumbnails and other misc data is also stored in these places. When the media repo is looking
|
||||
# to store new media (such as user uploads, thumbnails, etc) it will look for a datastore which
|
||||
# is flagged as forUploads. It will try to use the smallest datastore first.
|
||||
datastores:
|
||||
- type: file
|
||||
|
||||
# Enable this to set up data storage.
|
||||
enabled: false
|
||||
|
||||
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
|
||||
# across all datastores (local content which duplicates remote content will re-use the remote
|
||||
# content's location). This option is useful if your datastore is becoming very large, or if
|
||||
# you want faster storage for a particular kind of media.
|
||||
#
|
||||
# The kinds available are:
|
||||
# thumbnails - Used to store thumbnails of media (local and remote).
|
||||
# remote_media - Original copies of remote media (servers not configured by this repo).
|
||||
# local_media - Original uploads for local media.
|
||||
# archives - Archives of content (GDPR and similar requests).
|
||||
forKinds: ['thumbnails']
|
||||
|
||||
opts:
|
||||
path: /var/matrix/media
|
||||
|
||||
- type: s3
|
||||
|
||||
# Enable this to set up s3 uploads
|
||||
enabled: true
|
||||
|
||||
forKinds: ['thumbnails', 'remote_media', 'local_media', 'archives']
|
||||
|
||||
opts:
|
||||
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
|
||||
# small file uploads. If the file size is unknown, the file is written to this location
|
||||
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
|
||||
# memory usage, set this to an empty string.
|
||||
tempPath: ''
|
||||
endpoint: "{{ matrix__media_repo__s3_endpoint }}"
|
||||
accessKeyId: "{{ matrix__media_repo__s3_access_key }}"
|
||||
accessSecret: "{{ matrix__media_repo__s3_access_secret }}"
|
||||
ssl: true
|
||||
bucketName: "{{ matrix__media_repo__s3_bucket }}"
|
||||
# An optional region for where this S3 endpoint is located. Typically not needed, though
|
||||
# some providers will need this (like Scaleway). Uncomment to use.
|
||||
#region: 'sfo2'
|
||||
|
||||
# The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If
|
||||
# the feature is not enabled, this will not work. Note that IPFS support is experimental at
|
||||
# the moment and not recommended for general use.
|
||||
#
|
||||
# NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo
|
||||
# puts authentication on the download endpoints. Only use this option for cases where you
|
||||
# expect your media to be publicly accessible.
|
||||
- type: ipfs
|
||||
|
||||
# Enable this to use IPFS support
|
||||
enabled: false
|
||||
|
||||
forKinds: ['local_media']
|
||||
|
||||
# The IPFS datastore currently has no options. It will use the daemon or HTTP API configured
|
||||
# in the IPFS section of your main config.
|
||||
opts: {}
|
||||
|
||||
# Options for controlling archives. Archives are exports of a particular user's content for
|
||||
# the purpose of GDPR or moving media to a different server.
|
||||
archiving:
|
||||
# Whether archiving is enabled or not. Default enabled.
|
||||
enabled: true
|
||||
|
||||
# If true, users can request a copy of their own data. By default, only repository administrators
|
||||
# can request a copy.
|
||||
# This includes the ability for homeserver admins to request a copy of their own server's
|
||||
# data, as known to the repo.
|
||||
selfService: false
|
||||
|
||||
# The number of bytes to target per archive before breaking up the files. This is independent
|
||||
# of any file upload limits and will require a similar amount of memory when performing an export.
|
||||
# The file size is also a target, not a guarantee - it is possible to have files that are smaller
|
||||
# or larger than the target. This is recommended to be approximately double the size of your
|
||||
# file upload limit, provided there is enough memory available for the demand of exporting.
|
||||
targetBytesPerPart: 209715200 # 200mb default
|
||||
|
||||
# The file upload settings for the media repository
|
||||
uploads:
|
||||
maxBytes: 104857600 # 100MB default, 0 to disable
|
||||
|
||||
# The minimum number of bytes to let people upload
|
||||
minBytes: 100 # 100 bytes by default
|
||||
|
||||
# The number of bytes to claim as the maximum size for uploads for the limits API. If this
|
||||
# is not provided then the maxBytes setting will be used instead. This is useful to provide
|
||||
# if the media repo's settings and the reverse proxy do not match for maximum request size.
|
||||
# This is purely for informational reasons and does not actually limit any functionality.
|
||||
# Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes.
|
||||
#reportedMaxBytes: 104857600
|
||||
|
||||
# An optional list of file types that are allowed to be uploaded. If */* or nothing is
|
||||
# supplied here, then all file types are allowed. Asterisks (*) are wildcards and can be
|
||||
# placed anywhere to match everything (eg: "image/*" matches all images). This will also
|
||||
# restrict which file types are downloaded from remote servers.
|
||||
#
|
||||
# Caution: the media repo cannot tell the difference between encrypted media and arbitrary
|
||||
# binary data. For this reason, this option is deprecated and to be removed in a future
|
||||
# version.
|
||||
allowedTypes:
|
||||
- '*/*'
|
||||
|
||||
# Specific users can have their own set of allowed file types. These are applied instead
|
||||
# of those listed in the allowedTypes list when a user is found. Much like allowedTypes,
|
||||
# asterisks may be used in the content types and may also be used in the user IDs. This
|
||||
# allows for entire servers to have different allowed types by setting a rule similar to
|
||||
# "@*:example.org". Users will be allowed to upload a file if the type matches any of
|
||||
# the policies that match the user ID.
|
||||
#
|
||||
# Caution: the media repo cannot tell the difference between encrypted media and arbitrary
|
||||
# binary data. For this reason, this option is deprecated and to be removed in a future
|
||||
# version.
|
||||
#exclusions:
|
||||
# '@someone:example.org':
|
||||
# - 'application/pdf'
|
||||
# - 'application/vnd.ms-excel'
|
||||
# '@*:example.org':
|
||||
# - '*/*'
|
||||
|
||||
|
||||
# Settings related to downloading files from the media repository
|
||||
downloads:
|
||||
# The maximum number of bytes to download from other servers
|
||||
maxBytes: 104857600 # 100MB default, 0 to disable
|
||||
|
||||
# The number of workers to use when downloading remote media. Raise this number if remote
|
||||
# media is downloading slowly or timing out.
|
||||
#
|
||||
# Maximum memory usage = numWorkers multiplied by the maximum download size
|
||||
# Average memory usage is dependent on how many concurrent downloads your users are doing.
|
||||
numWorkers: 10
|
||||
|
||||
# How long, in minutes, to cache errors related to downloading remote media. Once this time
|
||||
# has passed, the media is able to be re-requested.
|
||||
failureCacheMinutes: 5
|
||||
|
||||
# The cache control settings for downloads. This can help speed up downloads for users by
|
||||
# keeping popular media in the cache. This cache is also used for thumbnails.
|
||||
cache:
|
||||
enabled: true
|
||||
|
||||
# The maximum size of cache to have. Higher numbers are better.
|
||||
maxSizeBytes: 1048576000 # 1GB default
|
||||
|
||||
# The maximum file size to cache. This should normally be the same size as your maximum
|
||||
# upload size.
|
||||
maxFileSizeBytes: 104857600 # 100MB default
|
||||
|
||||
# The number of minutes to track how many downloads a file gets
|
||||
trackedMinutes: 30
|
||||
|
||||
# The number of downloads a file must receive in the window above (trackedMinutes) in
|
||||
# order to be cached.
|
||||
minDownloads: 5
|
||||
|
||||
# The minimum amount of time an item should remain in the cache. This prevents the cache
|
||||
# from cycling out the file if it needs more room during this time. Note that the media
|
||||
# repo regularly cleans out media which is past this point from the cache, so this number
|
||||
# may need increasing depending on your use case. If the maxSizeBytes is reached for the
|
||||
# media repo, and some cached items are still under this timer, new items will not be able
|
||||
# to enter the cache. When this happens, consider raising maxSizeBytes or lowering this
|
||||
# timer.
|
||||
minCacheTimeSeconds: 300
|
||||
|
||||
# The minimum amount of time an item should remain outside the cache once it is removed.
|
||||
minEvictedTimeSeconds: 60
|
||||
|
||||
# How many days after a piece of remote content is downloaded before it expires. It can be
|
||||
# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or
|
||||
# negative to disable. Defaults to disabled.
|
||||
expireAfterDays: 0
|
||||
|
||||
# URL Preview settings
|
||||
urlPreviews:
|
||||
enabled: true # If enabled, the preview_url routes will be accessible
|
||||
maxPageSizeBytes: 10485760 # 10MB default, 0 to disable
|
||||
|
||||
# If true, the media repository will try to provide previews for URLs with invalid or unsafe
|
||||
# certificates. If false (the default), the media repo will fail requests to said URLs.
|
||||
previewUnsafeCertificates: false
|
||||
|
||||
# Note: URL previews are limited to a given number of words, which are then limited to a number
|
||||
# of characters, taking off the last word if it needs to. This also applies for the title.
|
||||
|
||||
numWords: 50 # The number of words to include in a preview (maximum)
|
||||
maxLength: 200 # The maximum number of characters for a description
|
||||
|
||||
numTitleWords: 30 # The maximum number of words to include in a preview's title
|
||||
maxTitleLength: 150 # The maximum number of characters for a title
|
||||
|
||||
# The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are
|
||||
# calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be
|
||||
# an image and the image's type must be allowed by the thumbnailer.
|
||||
filePreviewTypes:
|
||||
- 'image/*'
|
||||
|
||||
# The number of workers to use when generating url previews. Raise this number if url
|
||||
# previews are slow or timing out.
|
||||
#
|
||||
# Maximum memory usage = numWorkers multiplied by the maximum page size
|
||||
# Average memory usage is dependent on how many concurrent urls your users are previewing.
|
||||
numWorkers: 10
|
||||
|
||||
# Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they
|
||||
# will be merged. URL previews will be disabled if neither is supplied. Each entry must be
|
||||
# a CIDR range.
|
||||
disallowedNetworks:
|
||||
- '127.0.0.1/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '169.254.0.0/16'
|
||||
- '::1/128'
|
||||
- 'fe80::/64'
|
||||
- 'fc00::/7'
|
||||
allowedNetworks:
|
||||
# "Everything". The blacklist will help limit this.
|
||||
# This is the default value for this field.
|
||||
- '0.0.0.0/0'
|
||||
|
||||
# How many days after a preview is generated before it expires and is deleted. The preview
|
||||
# can be regenerated safely - this just helps free up some space in your database. Set to
|
||||
# zero or negative to disable. Defaults to disabled.
|
||||
expireAfterDays: 0
|
||||
|
||||
# The default Accept-Language header to supply when generating URL previews when one isn't
|
||||
# supplied by the client.
|
||||
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
|
||||
defaultLanguage: 'en-US,en'
|
||||
|
||||
# The thumbnail configuration for the media repository.
|
||||
thumbnails:
|
||||
# The maximum number of bytes an image can be before the thumbnailer refuses.
|
||||
maxSourceBytes: 10485760 # 10MB default, 0 to disable
|
||||
|
||||
# The number of workers to use when generating thumbnails. Raise this number if thumbnails
|
||||
# are slow to generate or timing out.
|
||||
#
|
||||
# Maximum memory usage = numWorkers multiplied by the maximum image source size
|
||||
# Average memory usage is dependent on how many thumbnails are being generated by your users
|
||||
numWorkers: 100
|
||||
|
||||
# All thumbnails are generated into one of the sizes listed here. The first size is used as
|
||||
# the default for when no width or height is requested. The media repository will return
|
||||
# either an exact match or the next largest size of thumbnail.
|
||||
sizes:
|
||||
- width: 32
|
||||
height: 32
|
||||
- width: 96
|
||||
height: 96
|
||||
- width: 320
|
||||
height: 240
|
||||
- width: 640
|
||||
height: 480
|
||||
- width: 800
|
||||
height: 600
|
||||
|
||||
# The content types to thumbnail when requested. Types that are not supported by the media repo
|
||||
# will not be thumbnailed (adding application/json here won't work). Clients may still not request
|
||||
# thumbnails for these types - this won't make clients automatically thumbnail these file types.
|
||||
types:
|
||||
- 'image/jpeg'
|
||||
- 'image/jpg'
|
||||
- 'image/png'
|
||||
- 'image/gif'
|
||||
- 'image/heif'
|
||||
- 'image/webp'
|
||||
#- 'image/svg+xml' # Be sure to have ImageMagick installed to thumbnail SVG files
|
||||
|
||||
# Animated thumbnails can be CPU intensive to generate. To disable the generation of animated
|
||||
# thumbnails, set this to false. If disabled, regular thumbnails will be returned.
|
||||
allowAnimated: true
|
||||
|
||||
# Default to animated thumbnails, if available
|
||||
defaultAnimated: false
|
||||
|
||||
# The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image
|
||||
# is larger than this, the thumbnail will be generated as a static image.
|
||||
maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable
|
||||
|
||||
# On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try
|
||||
# and thumbnail animated content? Defaults to 0.5 (middle of animation).
|
||||
stillFrame: 0.5
|
||||
|
||||
# How many days after a thumbnail is generated before it expires and is deleted. The thumbnail
|
||||
# can be regenerated safely - this just helps free up some space in your datastores. Set to
|
||||
# zero or negative to disable. Defaults to disabled.
|
||||
expireAfterDays: 0
|
||||
|
||||
# Controls for the rate limit functionality
|
||||
rateLimit:
|
||||
# Set this to false if rate limiting is handled at a higher level or you don't want it enabled.
|
||||
enabled: true
|
||||
|
||||
# The number of requests per second before an IP will be rate limited. Must be a whole number.
|
||||
requestsPerSecond: 1
|
||||
|
||||
# The number of requests an IP can send at once before the rate limit is actually considered.
|
||||
burst: 10
|
||||
|
||||
# Identicons are generated avatars for a given username. Some clients use these to give users a
|
||||
# default avatar after signing up. Identicons are not part of the official matrix spec, therefore
|
||||
# this feature is completely optional.
|
||||
identicons:
|
||||
enabled: true
|
||||
|
||||
# The quarantine media settings.
|
||||
quarantine:
|
||||
# If true, when a thumbnail of quarantined media is requested an image will be returned. If no
|
||||
# image is given in the thumbnailPath below then a generated image will be provided. This does
|
||||
# not affect regular downloads of files.
|
||||
replaceThumbnails: true
|
||||
|
||||
# If true, when media which has been quarantined is requested an image will be returned. If
|
||||
# no image is given in the thumbnailPath below then a generated image will be provided. This
|
||||
# will replace media which is not an image (ie: quarantining a PDF will replace the PDF with
|
||||
# an image).
|
||||
replaceDownloads: false
|
||||
|
||||
# If provided, the given image will be returned as a thumbnail for media that is quarantined.
|
||||
#thumbnailPath: '/path/to/thumbnail.png'
|
||||
|
||||
# If true, administrators of the configured homeservers may quarantine media for their server
|
||||
# only. Global administrators can quarantine any media (local or remote) regardless of this
|
||||
# flag.
|
||||
allowLocalAdmins: true
|
||||
|
||||
# The various timeouts that the media repo will use.
|
||||
timeouts:
|
||||
# The maximum amount of time the media repo should spend trying to fetch a resource that is
|
||||
# being previewed.
|
||||
urlPreviewTimeoutSeconds: 10
|
||||
|
||||
# The maximum amount of time the media repo will spend making remote requests to other repos
|
||||
# or homeservers. This is primarily used to download media.
|
||||
federationTimeoutSeconds: 120
|
||||
|
||||
# The maximum amount of time the media repo will spend talking to your configured homeservers.
|
||||
# This is usually used to verify a user's identity.
|
||||
clientServerTimeoutSeconds: 30
|
||||
|
||||
# Prometheus metrics configuration
|
||||
# For an example Grafana dashboard, import the following JSON:
|
||||
# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json
|
||||
metrics:
|
||||
# If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape.
|
||||
enabled: false
|
||||
|
||||
# The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces.
|
||||
bindAddress: '127.0.0.1'
|
||||
|
||||
# The port to listen on. Cannot be the same as the general web server port.
|
||||
port: 9000
|
||||
|
||||
# Options for controlling various MSCs/unstable features of the media repo
|
||||
# Sections of this config might disappear or be added over time. By default all
|
||||
# features are disabled in here and must be explicitly enabled to be used.
|
||||
featureSupport:
|
||||
# MSC2248 - Blurhash
|
||||
MSC2448:
|
||||
# Whether or not this MSC is enabled for use in the media repo
|
||||
enabled: false
|
||||
|
||||
# Maximum dimensions for converting a blurhash to an image. When no width and
|
||||
# height options are supplied, the default will be half these values.
|
||||
maxWidth: 1024
|
||||
maxHeight: 1024
|
||||
|
||||
# Thumbnail size in pixels to use to generate the blurhash string
|
||||
thumbWidth: 64
|
||||
thumbHeight: 64
|
||||
|
||||
# The X and Y components to use. Higher numbers blur less, lower numbers blur more.
|
||||
xComponents: 4
|
||||
yComponents: 3
|
||||
|
||||
# The amount of contrast to apply when converting a blurhash to an image. Lower values
|
||||
# make the effect more subtle, larger values make it stronger.
|
||||
punch: 1
|
||||
|
||||
# IPFS Support
|
||||
# This is currently experimental and might not work at all.
|
||||
IPFS:
|
||||
# Whether or not IPFS support is enabled for use in the media repo.
|
||||
enabled: false
|
||||
|
||||
# Options for the built in IPFS daemon
|
||||
builtInDaemon:
|
||||
# Enable this to spawn an in-process IPFS node to use instead of a localhost
|
||||
# HTTP agent. If this is disabled, the media repo will assume you have an HTTP
|
||||
# IPFS agent running and accessible. Defaults to using a daemon (true).
|
||||
enabled: true
|
||||
|
||||
# If the Daemon is enabled, set this to the location where the IPFS files should
|
||||
# be stored. If you're using Docker, this should be something like "/data/ipfs"
|
||||
# so it can be mapped to a volume.
|
||||
repoPath: './ipfs'
|
|
@ -1,18 +0,0 @@
|
|||
[Unit]
|
||||
After=network.target
|
||||
Description=Matrix Media Repo
|
||||
|
||||
[Service]
|
||||
ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }}
|
||||
Group={{ matrix__media_repo__group }}
|
||||
Restart=always
|
||||
RestartSec=1
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
SyslogIdentifier={{ matrix__media_repo__service }}
|
||||
Type=simple
|
||||
User={{ matrix__media_repo__user }}
|
||||
WorkingDirectory={{ matrix__media_repo__opt_dir }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,140 +0,0 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ matrix__base_host }} {{ matrix__web_host }};
|
||||
|
||||
set $CSP "";
|
||||
set $CSP "${CSP}object-src 'none';";
|
||||
set $CSP "${CSP}frame-src 'none';";
|
||||
set $CSP "${CSP}connect-src 'none';";
|
||||
set $CSP "${CSP}form-action 'none';";
|
||||
|
||||
add_header Content-Security-Policy $CSP always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name {{ matrix__web_host }};
|
||||
|
||||
ssl_certificate {{ matrix__nginx__ssl_cert }};
|
||||
ssl_certificate_key {{ matrix__nginx__ssl_key }};
|
||||
|
||||
set $CSP "";
|
||||
set $CSP "${CSP}object-src 'none';";
|
||||
set $CSP "${CSP}frame-src 'none';";
|
||||
set $CSP "${CSP}connect-src 'self';";
|
||||
set $CSP "${CSP}form-action 'none';";
|
||||
|
||||
add_header Content-Security-Policy $CSP always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
add_header Last-Modified $date_gmt;
|
||||
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
if_modified_since off;
|
||||
expires off;
|
||||
etag off;
|
||||
sendfile off;
|
||||
|
||||
root {{ matrix__element__src_dir }};
|
||||
index index.html;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name {{ matrix__base_host }};
|
||||
|
||||
ssl_certificate {{ matrix__nginx__ssl_cert }};
|
||||
ssl_certificate_key {{ matrix__nginx__ssl_key }};
|
||||
|
||||
set $CSP "";
|
||||
set $CSP "${CSP}object-src 'none';";
|
||||
set $CSP "${CSP}frame-src 'none';";
|
||||
set $CSP "${CSP}connect-src 'none';";
|
||||
set $CSP "${CSP}form-action 'none';";
|
||||
|
||||
add_header Content-Security-Policy $CSP always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
location /_matrix/media {
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header Host {{ matrix__site_host }};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_pass http://localhost:{{ matrix__media_repo__port }};
|
||||
}
|
||||
|
||||
location /_matrix {
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_pass http://localhost:{{ matrix__synapse__port }};
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_pass http://localhost:{{ matrix__static__port }};
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 8448 ssl;
|
||||
listen [::]:8448 ssl;
|
||||
|
||||
server_name {{ matrix__base_host }};
|
||||
|
||||
ssl_certificate {{ matrix__nginx__ssl_cert }};
|
||||
ssl_certificate_key {{ matrix__nginx__ssl_key }};
|
||||
|
||||
set $CSP "";
|
||||
set $CSP "${CSP}object-src 'none';";
|
||||
set $CSP "${CSP}frame-src 'none';";
|
||||
set $CSP "${CSP}connect-src 'none';";
|
||||
set $CSP "${CSP}form-action 'none';";
|
||||
|
||||
add_header Content-Security-Policy $CSP always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
location /_matrix/media {
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header Host {{ matrix__site_host }};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_pass http://localhost:{{ matrix__media_repo__port }};
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_read_timeout 60s;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_pass http://localhost:{{ matrix__synapse__port }};
|
||||
}
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
{
|
||||
"access_token": "{{ matrix__static__access_token }}",
|
||||
"device_id": "guest_device",
|
||||
"home_server": "{{ matrix__base_url }}",
|
||||
"refresh_token": "",
|
||||
"user_id": "{{ matrix__static__user_id }}"
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
[Unit]
|
||||
After=network.target
|
||||
Description=Matrix Static
|
||||
|
||||
[Service]
|
||||
Environment=PORT={{ matrix__static__port }}
|
||||
ExecStart={{ matrix__static__opt_dir }}/bin/matrix-static --config-file {{ matrix__static__conf_file }}
|
||||
Group={{ matrix__static__group }}
|
||||
Restart=always
|
||||
RestartSec=1
|
||||
StandardOutput=syslog
|
||||
StandatdError=syslog
|
||||
SyslogIdentifier={{ matrix__static__service }}
|
||||
Type=simple
|
||||
User={{ matrix__static__user }}
|
||||
WorkingDirectory={{ matrix__static__src_dir }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,73 +0,0 @@
|
|||
# ACME support: This will configure Synapse to request a valid TLS certificate
|
||||
# for your configured `server_name` via Let's Encrypt.
|
||||
#
|
||||
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
|
||||
# ACME v2. This means that this feature currently won't work with installs set
|
||||
# up after November 2019. For more info, and alternative solutions, see
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
||||
#
|
||||
# Note that provisioning a certificate in this way requires port 80 to be
|
||||
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
||||
# By default, if you enable ACME support, Synapse will attempt to listen on
|
||||
# port 80 for incoming http-01 challenges - however, this will likely fail
|
||||
# with 'Permission denied' or a similar error.
|
||||
#
|
||||
# There are a couple of potential solutions to this:
|
||||
#
|
||||
# * If you already have an Apache, Nginx, or similar listening on port 80,
|
||||
# you can configure Synapse to use an alternate port, and have your web
|
||||
# server forward the requests. For example, assuming you set 'port: 8009'
|
||||
# below, on Apache, you would write:
|
||||
#
|
||||
# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
|
||||
#
|
||||
# * Alternatively, you can use something like `authbind` to give Synapse
|
||||
# permission to listen on port 80.
|
||||
#
|
||||
acme:
|
||||
# ACME support is disabled by default. Set this to `true` and uncomment
|
||||
# tls_certificate_path and tls_private_key_path above to enable it.
|
||||
#
|
||||
enabled: false
|
||||
|
||||
# Endpoint to use to request certificates. If you only want to test,
|
||||
# use Let's Encrypt's staging url:
|
||||
# https://acme-staging.api.letsencrypt.org/directory
|
||||
#
|
||||
#url: https://acme-v01.api.letsencrypt.org/directory
|
||||
|
||||
# Port number to listen on for the HTTP-01 challenge. Change this if
|
||||
# you are forwarding connections through Apache/Nginx/etc.
|
||||
#
|
||||
port: 80
|
||||
|
||||
# Local addresses to listen on for incoming connections.
|
||||
# Again, you may want to change this if you are forwarding connections
|
||||
# through Apache/Nginx/etc.
|
||||
#
|
||||
bind_addresses: ['::', '0.0.0.0']
|
||||
|
||||
# How many days remaining on a certificate before it is renewed.
|
||||
#
|
||||
reprovision_threshold: 30
|
||||
|
||||
# The domain that the certificate should be for. Normally this
|
||||
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
||||
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
|
||||
# you can delegate incoming traffic to another server. If you do that,
|
||||
# you should give the target of the delegation here.
|
||||
#
|
||||
# For example: if your 'server_name' is 'example.com', but
|
||||
# 'https://example.com/.well-known/matrix/server' delegates to
|
||||
# 'matrix.example.com', you should put 'matrix.example.com' here.
|
||||
#
|
||||
# If not set, defaults to your 'server_name'.
|
||||
#
|
||||
domain: matrix.example.com
|
||||
|
||||
# file to use for the account key. This will be generated if it doesn't
|
||||
# exist.
|
||||
#
|
||||
# If unspecified, we will use CONFDIR/client.key.
|
||||
#
|
||||
account_key_file: /etc/matrix/synapse/acme_account.key
|
|
@ -1,23 +0,0 @@
|
|||
## Captcha ##
|
||||
# See docs/CAPTCHA_SETUP.md for full details of configuring this.
|
||||
|
||||
# This homeserver's ReCAPTCHA public key. Must be specified if
|
||||
# enable_registration_captcha is enabled.
|
||||
#
|
||||
recaptcha_public_key: '{{ matrix__synapse__recaptcha_public_key }}'
|
||||
|
||||
# This homeserver's ReCAPTCHA private key. Must be specified if
|
||||
# enable_registration_captcha is enabled.
|
||||
#
|
||||
recaptcha_private_key: '{{ matrix__synapse__recaptcha_private_key }}'
|
||||
|
||||
# Uncomment to enable ReCaptcha checks when registering, preventing signup
|
||||
# unless a captcha is answered. Requires a valid ReCaptcha
|
||||
# public/private key. Defaults to 'false'.
|
||||
#
|
||||
enable_registration_captcha: true
|
||||
|
||||
# The API endpoint to use for verifying m.login.recaptcha responses.
|
||||
# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
|
||||
#
|
||||
#recaptcha_siteverify_api: "https://my.recaptcha.site"
|
|
@ -1,55 +0,0 @@
|
|||
## Database ##
|
||||
|
||||
# The 'database' setting defines the database that synapse uses to store all of
|
||||
# its data.
|
||||
#
|
||||
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
|
||||
# 'psycopg2' (for PostgreSQL).
|
||||
#
|
||||
# 'args' gives options which are passed through to the database engine,
|
||||
# except for options starting 'cp_', which are used to configure the Twisted
|
||||
# connection pool. For a reference to valid arguments, see:
|
||||
# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
|
||||
# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
|
||||
# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
|
||||
#
|
||||
#
|
||||
# Example SQLite configuration:
|
||||
#
|
||||
#database:
|
||||
# name: sqlite3
|
||||
# args:
|
||||
# database: /path/to/homeserver.db
|
||||
#
|
||||
#
|
||||
# Example Postgres configuration:
|
||||
#
|
||||
#database:
|
||||
# name: psycopg2
|
||||
# args:
|
||||
# user: synapse
|
||||
# password: secretpassword
|
||||
# database: synapse
|
||||
# host: localhost
|
||||
# cp_min: 5
|
||||
# cp_max: 10
|
||||
#
|
||||
# For more information on using Synapse with Postgres, see `docs/postgres.md`.
|
||||
#
|
||||
{% if not matrix__synapse__pg_enable %}
|
||||
database:
|
||||
name: sqlite3
|
||||
args:
|
||||
database: '{{ matrix__synapse__db_file }}'
|
||||
{% else %}
|
||||
database:
|
||||
name: psycopg2
|
||||
args:
|
||||
host: '{{ matrix__synapse__pg_host }}'
|
||||
port: {{ matrix__synapse__pg_port }}
|
||||
user: '{{ matrix__synapse__pg_username }}'
|
||||
password: '{{ matrix__synapse__pg_password }}'
|
||||
database: '{{ matrix__synapse__pg_database }}'
|
||||
cp_min: 5
|
||||
cp_max: 10
|
||||
{% endif %}
|
|
@ -1,102 +0,0 @@
|
|||
# List of ports that Synapse should listen on, their purpose and their
|
||||
# configuration.
|
||||
#
|
||||
# Options for each listener include:
|
||||
#
|
||||
# port: the TCP port to bind to
|
||||
#
|
||||
# bind_addresses: a list of local addresses to listen on. The default is
|
||||
# 'all local interfaces'.
|
||||
#
|
||||
# type: the type of listener. Normally 'http', but other valid options are:
|
||||
# 'manhole' (see docs/manhole.md),
|
||||
# 'metrics' (see docs/metrics-howto.md),
|
||||
# 'replication' (see docs/workers.md).
|
||||
#
|
||||
# tls: set to true to enable TLS for this listener. Will use the TLS
|
||||
# key/cert specified in tls_private_key_path / tls_certificate_path.
|
||||
#
|
||||
# x_forwarded: Only valid for an 'http' listener. Set to true to use the
|
||||
# X-Forwarded-For header as the client IP. Useful when Synapse is
|
||||
# behind a reverse-proxy.
|
||||
#
|
||||
# resources: Only valid for an 'http' listener. A list of resources to host
|
||||
# on this port. Options for each resource are:
|
||||
#
|
||||
# names: a list of names of HTTP resources. See below for a list of
|
||||
# valid resource names.
|
||||
#
|
||||
# compress: set to true to enable HTTP comression for this resource.
|
||||
#
|
||||
# additional_resources: Only valid for an 'http' listener. A map of
|
||||
# additional endpoints which should be loaded via dynamic modules.
|
||||
#
|
||||
# Valid resource names are:
|
||||
#
|
||||
# client: the client-server API (/_matrix/client), and the synapse admin
|
||||
# API (/_synapse/admin). Also implies 'media' and 'static'.
|
||||
#
|
||||
# consent: user consent forms (/_matrix/consent). See
|
||||
# docs/consent_tracking.md.
|
||||
#
|
||||
# federation: the server-server API (/_matrix/federation). Also implies
|
||||
# 'media', 'keys', 'openid'
|
||||
#
|
||||
# keys: the key discovery API (/_matrix/keys).
|
||||
#
|
||||
# media: the media API (/_matrix/media).
|
||||
#
|
||||
# metrics: the metrics interface. See docs/metrics-howto.md.
|
||||
#
|
||||
# openid: OpenID authentication.
|
||||
#
|
||||
# replication: the HTTP replication API (/_synapse/replication). See
|
||||
# docs/workers.md.
|
||||
#
|
||||
# static: static resources under synapse/static (/_matrix/static). (Mostly
|
||||
# useful for 'fallback authentication'.)
|
||||
#
|
||||
# webclient: A web client. Requires web_client_location to be set.
|
||||
#
|
||||
listeners:
|
||||
# TLS-enabled listener: for when matrix traffic is sent directly to synapse.
|
||||
#
|
||||
# Disabled by default. To enable it, uncomment the following. (Note that you
|
||||
# will also need to give Synapse a TLS key and certificate: see the TLS section
|
||||
# below.)
|
||||
#
|
||||
#- port: 8448
|
||||
# type: http
|
||||
# tls: true
|
||||
# resources:
|
||||
# - names: [client, federation]
|
||||
|
||||
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
|
||||
# that unwraps TLS.
|
||||
#
|
||||
# If you plan to use a reverse proxy, please see
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
|
||||
#
|
||||
- port: {{ matrix__synapse__port }}
|
||||
tls: false
|
||||
type: http
|
||||
x_forwarded: true
|
||||
bind_addresses: ['::1', '127.0.0.1']
|
||||
|
||||
resources:
|
||||
- names: [client, federation]
|
||||
compress: false
|
||||
|
||||
# example additional_resources:
|
||||
#
|
||||
#additional_resources:
|
||||
# "/_matrix/my/custom/endpoint":
|
||||
# module: my_module.CustomRequestHandler
|
||||
# config: {}
|
||||
|
||||
# Turn on the twisted ssh manhole service on localhost on the given
|
||||
# port.
|
||||
#
|
||||
#- port: 9000
|
||||
# bind_addresses: ['::1', '127.0.0.1']
|
||||
# type: manhole
|
|
@ -1,59 +0,0 @@
|
|||
## Media Store ##
|
||||
|
||||
# Enable the media store service in the Synapse master. Uncomment the
|
||||
# following if you are using a separate media store worker.
|
||||
#
|
||||
enable_media_repo: false
|
||||
|
||||
# Directory where uploaded images and attachments are stored.
|
||||
#
|
||||
media_store_path: '{{ matrix__synapse__media_dir }}'
|
||||
|
||||
# Media storage providers allow media to be stored in different
|
||||
# locations.
|
||||
#
|
||||
#media_storage_providers:
|
||||
# - module: file_system
|
||||
# # Whether to store newly uploaded local files
|
||||
# store_local: false
|
||||
# # Whether to store newly downloaded remote files
|
||||
# store_remote: false
|
||||
# # Whether to wait for successful storage for local uploads
|
||||
# store_synchronous: false
|
||||
# config:
|
||||
# directory: /mnt/some/other/directory
|
||||
|
||||
# The largest allowed upload size in bytes
|
||||
#
|
||||
max_upload_size: 100M
|
||||
|
||||
# Maximum number of pixels that will be thumbnailed
|
||||
#
|
||||
#max_image_pixels: 32M
|
||||
|
||||
# Whether to generate new thumbnails on the fly to precisely match
|
||||
# the resolution requested by the client. If true then whenever
|
||||
# a new resolution is requested by the client the server will
|
||||
# generate a new thumbnail. If false the server will pick a thumbnail
|
||||
# from a precalculated list.
|
||||
#
|
||||
#dynamic_thumbnails: false
|
||||
|
||||
# List of thumbnails to precalculate when an image is uploaded.
|
||||
#
|
||||
#thumbnail_sizes:
|
||||
# - width: 32
|
||||
# height: 32
|
||||
# method: crop
|
||||
# - width: 96
|
||||
# height: 96
|
||||
# method: crop
|
||||
# - width: 320
|
||||
# height: 240
|
||||
# method: scale
|
||||
# - width: 640
|
||||
# height: 480
|
||||
# method: scale
|
||||
# - width: 800
|
||||
# height: 600
|
||||
# method: scale
|
File diff suppressed because it is too large
Load diff
|
@ -1,29 +0,0 @@
|
|||
{}
|
||||
|
||||
## TURN ##
|
||||
|
||||
# The public URIs of the TURN server to give to clients
|
||||
#
|
||||
#turn_uris: []
|
||||
|
||||
# The shared secret used to compute passwords for the TURN server
|
||||
#
|
||||
#turn_shared_secret: "YOUR_SHARED_SECRET"
|
||||
|
||||
# The Username and password if the TURN server needs them and
|
||||
# does not use a token
|
||||
#
|
||||
#turn_username: "TURNSERVER_USERNAME"
|
||||
#turn_password: "TURNSERVER_PASSWORD"
|
||||
|
||||
# How long generated TURN credentials last
|
||||
#
|
||||
#turn_user_lifetime: 1h
|
||||
|
||||
# Whether guests should be allowed to use the TURN server.
|
||||
# This defaults to True, otherwise VoIP will be unreliable for guests.
|
||||
# However, it does introduce a slight security risk as it allows users to
|
||||
# connect to arbitrary endpoints without having first signed up for a
|
||||
# valid account (e.g. by passing a CAPTCHA).
|
||||
#
|
||||
#turn_allow_guests: true
|
|
@ -1,104 +0,0 @@
|
|||
# Is the preview URL API enabled?
|
||||
#
|
||||
# 'false' by default: uncomment the following to enable it (and specify a
|
||||
# url_preview_ip_range_blacklist blacklist).
|
||||
#
|
||||
url_preview_enabled: true
|
||||
|
||||
# List of IP address CIDR ranges that the URL preview spider is denied
|
||||
# from accessing. There are no defaults: you must explicitly
|
||||
# specify a list for URL previewing to work. You should specify any
|
||||
# internal services in your network that you do not want synapse to try
|
||||
# to connect to, otherwise anyone in any Matrix room could cause your
|
||||
# synapse to issue arbitrary GET requests to your internal services,
|
||||
# causing serious security issues.
|
||||
#
|
||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||
# listed here, since they correspond to unroutable addresses.)
|
||||
#
|
||||
# This must be specified if url_preview_enabled is set. It is recommended that
|
||||
# you uncomment the following list as a starting point.
|
||||
#
|
||||
url_preview_ip_range_blacklist:
|
||||
- '127.0.0.0/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '169.254.0.0/16'
|
||||
- '::1/128'
|
||||
- 'fe80::/64'
|
||||
- 'fc00::/7'
|
||||
|
||||
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||
# to access even if they are specified in url_preview_ip_range_blacklist.
|
||||
# This is useful for specifying exceptions to wide-ranging blacklisted
|
||||
# target IP ranges - e.g. for enabling URL previews for a specific private
|
||||
# website only visible in your network.
|
||||
#
|
||||
#url_preview_ip_range_whitelist:
|
||||
# - '192.168.1.1'
|
||||
|
||||
# Optional list of URL matches that the URL preview spider is
|
||||
# denied from accessing. You should use url_preview_ip_range_blacklist
|
||||
# in preference to this, otherwise someone could define a public DNS
|
||||
# entry that points to a private IP address and circumvent the blacklist.
|
||||
# This is more useful if you know there is an entire shape of URL that
|
||||
# you know that will never want synapse to try to spider.
|
||||
#
|
||||
# Each list entry is a dictionary of url component attributes as returned
|
||||
# by urlparse.urlsplit as applied to the absolute form of the URL. See
|
||||
# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
|
||||
# The values of the dictionary are treated as an filename match pattern
|
||||
# applied to that component of URLs, unless they start with a ^ in which
|
||||
# case they are treated as a regular expression match. If all the
|
||||
# specified component matches for a given list item succeed, the URL is
|
||||
# blacklisted.
|
||||
#
|
||||
url_preview_url_blacklist:
|
||||
# blacklist any URL with a username in its URI
|
||||
- username: '*'
|
||||
#
|
||||
# # blacklist all *.google.com URLs
|
||||
# - netloc: 'google.com'
|
||||
# - netloc: '*.google.com'
|
||||
#
|
||||
# # blacklist all plain HTTP URLs
|
||||
# - scheme: 'http'
|
||||
#
|
||||
# # blacklist http(s)://www.acme.com/foo
|
||||
# - netloc: 'www.acme.com'
|
||||
# path: '/foo'
|
||||
#
|
||||
# # blacklist any URL with a literal IPv4 address
|
||||
# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||
|
||||
# The largest allowed URL preview spidering size in bytes
|
||||
#
|
||||
#max_spider_size: 10M
|
||||
|
||||
# A list of values for the Accept-Language HTTP header used when
|
||||
# downloading webpages during URL preview generation. This allows
|
||||
# Synapse to specify the preferred languages that URL previews should
|
||||
# be in when communicating with remote servers.
|
||||
#
|
||||
# Each value is a IETF language tag; a 2-3 letter identifier for a
|
||||
# language, optionally followed by subtags separated by '-', specifying
|
||||
# a country or region variant.
|
||||
#
|
||||
# Multiple values can be provided, and a weight can be added to each by
|
||||
# using quality value syntax (;q=). '*' translates to any language.
|
||||
#
|
||||
# Defaults to "en".
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# url_preview_accept_language:
|
||||
# - en-UK
|
||||
# - en-US;q=0.9
|
||||
# - fr;q=0.8
|
||||
# - *;q=0.7
|
||||
#
|
||||
url_preview_accept_language:
|
||||
- ru
|
||||
- en;q=0.9
|
|
@ -1,35 +0,0 @@
|
|||
# Log configuration for Synapse.
|
||||
#
|
||||
# This is a YAML file containing a standard Python logging configuration
|
||||
# dictionary. See [1] for details on the valid settings.
|
||||
#
|
||||
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||
|
||||
version: 1
|
||||
|
||||
formatters:
|
||||
precise:
|
||||
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.logging.context.LoggingContextFilter
|
||||
request: ''
|
||||
|
||||
handlers:
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: precise
|
||||
filters: [context]
|
||||
|
||||
loggers:
|
||||
synapse.storage.SQL:
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
level: INFO
|
||||
|
||||
root:
|
||||
level: INFO
|
||||
handlers: [console]
|
||||
|
||||
disable_existing_loggers: false
|
|
@ -1,18 +0,0 @@
|
|||
[Unit]
|
||||
After=network.target
|
||||
Description=Matrix Synapse
|
||||
|
||||
[Service]
|
||||
ExecStart={{ matrix__synapse__venv_dir }}/bin/synctl --no-daemonize start {{ matrix__synapse__conf_subdir }}
|
||||
Group={{ matrix__synapse__group }}
|
||||
Restart=always
|
||||
RestartSec=1
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
SyslogIdentifier={{ matrix__synapse__service }}
|
||||
Type=simple
|
||||
User={{ matrix__synapse__user }}
|
||||
WorkingDirectory={{ matrix__synapse__opt_dir }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,2 +0,0 @@
|
|||
d {{ matrix__run_dir }} 0775 root root
|
||||
d {{ matrix__synapse__run_dir }} 0775 matrix-synapse matrix-synapse
|
|
@ -1,66 +0,0 @@
|
|||
---
|
||||
matrix__synapse__user: 'matrix-synapse'
|
||||
matrix__synapse__group: 'matrix-synapse'
|
||||
matrix__synapse__service: 'matrix-synapse'
|
||||
|
||||
matrix__media_repo__user: 'matrix-media-repo'
|
||||
matrix__media_repo__group: 'matrix-media-repo'
|
||||
matrix__media_repo__service: 'matrix-media-repo'
|
||||
|
||||
matrix__static__user: 'matrix-static'
|
||||
matrix__static__group: 'matrix-static'
|
||||
matrix__static__service: 'matrix-static'
|
||||
|
||||
matrix__synapse__port: 8001
|
||||
matrix__media_repo__port: 8002
|
||||
matrix__static__port: 8003
|
||||
|
||||
matrix__conf_dir: '/etc/matrix'
|
||||
matrix__opt_dir: '/opt/matrix'
|
||||
matrix__lib_dir: '/var/lib/matrix'
|
||||
matrix__run_dir: '/var/run/matrix'
|
||||
|
||||
matrix__synapse__conf_dir: '{{ matrix__conf_dir }}/synapse'
|
||||
matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse'
|
||||
matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse'
|
||||
matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse'
|
||||
|
||||
matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
|
||||
matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo'
|
||||
matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo'
|
||||
|
||||
matrix__static__conf_dir: '{{ matrix__conf_dir }}/static'
|
||||
matrix__static__opt_dir: '{{ matrix__opt_dir }}/static'
|
||||
|
||||
matrix__element__opt_dir: '{{ matrix__opt_dir }}/element'
|
||||
|
||||
matrix__synapse__conf_subdir: '{{ matrix__synapse__conf_dir }}/config'
|
||||
matrix__synapse__log_conf_file: '{{ matrix__synapse__conf_dir }}/log_config.yml'
|
||||
matrix__synapse__key_file: '{{ matrix__synapse__conf_dir }}/signing_key'
|
||||
matrix__synapse__venv_dir: '{{ matrix__synapse__opt_dir }}/venv'
|
||||
matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store'
|
||||
matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db'
|
||||
matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid'
|
||||
|
||||
matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml'
|
||||
matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz'
|
||||
matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src'
|
||||
|
||||
matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json'
|
||||
matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz'
|
||||
matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src'
|
||||
matrix__static__bin_dir: '{{ matrix__static__opt_dir }}/bin'
|
||||
|
||||
matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz'
|
||||
matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src'
|
||||
matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json'
|
||||
|
||||
matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service'
|
||||
matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service'
|
||||
matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service'
|
||||
|
||||
matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz'
|
||||
matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz'
|
||||
|
||||
matrix__static__checksum: 'sha256:6de2b7360b2deaef7c011acebd061d6bcdae3799ee40a2f7f371744920aa45eb'
|
||||
matrix__element__checksum: 'sha256:5e69f862529d429d2d9064de210c16364de48cd38d0ef8ee9a099c096071b5ab'
|
|
@ -1,4 +0,0 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
sudo -u postgres sh -e -c "test -d {{ postgresql_backups_dir }} && find {{ postgresql_backups_dir }} -type f -mtime +7 -exec rm {} \;"
|
||||
sudo -u postgres sh -e -c "mkdir -p {{ postgresql_backups_dir }} && umask 077 && pg_dumpall | gzip > {{ postgresql_backups_dir }}/$(TZ=UTC date +"%Y_%m_%d_%H_%M_%S").gz"
|
Reference in a new issue