diff --git a/bin/extra_opts.sh b/bin/extra_opts.sh index eed509b..76ce0c2 100644 --- a/bin/extra_opts.sh +++ b/bin/extra_opts.sh @@ -16,7 +16,7 @@ fi extra_opts="--extra-vars admin=$admin" -for vault_id in kotovalexarian xuhcc postgres matrix +for vault_id in kotovalexarian xuhcc do if [ -f "$ROOT/secrets/$vault_id" ]; then extra_opts="$extra_opts --vault-id $vault_id@$ROOT/secrets/$vault_id" diff --git a/group_vars/postgres.yml b/group_vars/postgres.yml deleted file mode 100644 index eb97d6d..0000000 --- a/group_vars/postgres.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -common__certbot__post_hook: null -common__certbot__pre_hook: null - -common__iptables__drop_by_default: true - -postgresql_backups_dir: '/var/lib/postgresql/backups/12/main' - -postgresql_global_config_options: - - option: listen_addresses - value: '*' diff --git a/host_vars/matrix.crypto-libertarian.com.yml b/host_vars/matrix.crypto-libertarian.com.yml deleted file mode 100644 index 7355225..0000000 --- a/host_vars/matrix.crypto-libertarian.com.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -ansible_become_pass_for: - kotovalexarian: !vault | - $ANSIBLE_VAULT;1.2;AES256;kotovalexarian - 61643339313266356538643266316138633738616632633531383730383433633030656633383431 - 3335393862333133643030613131636232663434636164650a376464396333323662363037376164 - 38356164613536633139643333383362363531343933363661356532663838656336363166616638 - 3032303434366266330a376439396233363065323135613963633265373435636530646433343036 - 65663336353266323636633339313236353565353431363965303762643766356562313566383031 - 3536363333616139613738336566633937313539623536316666 - xuhcc: !vault | - $ANSIBLE_VAULT;1.2;AES256;xuhcc - 33613837643333393933646163323464336164353963353039323338366339343137356134353164 - 6135373037323262663461626430376134636433393037360a666435393133653763323834393530 - 38643437613437643939386232393762326536363532376266643034623833316137376233363962 - 3237346330633334630a613565623237616361623635343466303538613066653166316566616233 - 63623962363933656164623338346435346538646364383539383363346666393533 - -ansible_become_pass: "{{ ansible_become_pass_for[admin] }}" - -common__certbot__cert_name: 'matrix.crypto-libertarian.com' -common__certbot__cert_domains: - - 'matrix.crypto-libertarian.com' - - 'element.crypto-libertarian.com' -common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service' -common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true' - -common__nginx__state: install -common__nginx__remove_default: true - -matrix__site_host: 'crypto-libertarian.com' -matrix__base_host: 'matrix.crypto-libertarian.com' -matrix__web_host: 'element.crypto-libertarian.com' - -matrix__site_url: 'https://crypto-libertarian.com' -matrix__base_url: 'https://matrix.crypto-libertarian.com' -matrix__web_url: 'https://element.crypto-libertarian.com' - -matrix__admin_contact: 'mailto:kotovalexarian@gmail.com' -matrix__admin_user: '@kotovalexarian:crypto-libertarian.com' - -matrix__nginx__ssl_cert: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/fullchain.pem' -matrix__nginx__ssl_key: '/etc/letsencrypt/live/matrix.crypto-libertarian.com/privkey.pem' - -matrix__synapse__pg_enable: true -matrix__synapse__pg_host: 'postgres.crypto-libertarian.com' -matrix__synapse__pg_username: 'matrix_synapse' -matrix__synapse__pg_database: 'matrix_synapse' - -matrix__synapse__pg_password: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 36666361363761366636626266613931326432313530356361643535396534623435393432386135 - 3366346639386430646334333361303565653436343335660a393766303963633761343738663836 - 61636264656534653934663835373934613963326563376435656634326633373263393735613932 - 3164633537313039380a396638626366333639393463376666353534653837313438613435396333 - 66303235616232343966336639313034383964623334663961313234376332333338343961313562 - 3366623965646237633733373165346366333436373139346435 - -matrix__synapse__signing_key: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 63353038343038626239333939363961393638343834316163316330376237626339303634613162 - 3934313537333630633931333930343264323639303537390a353532636532626433393132376138 - 35376235366533353763656331343034333431366333643934623537316665663730646532623039 - 3433336635643134300a373334623136396635363530646161323735336230363737333362383235 - 37646636346139366566666339616338346134373766373664316632373061333035643039336665 - 62373562326133653461373763383337623339303832626335396530373162303337313134346265 - 356230363135373266663736326238663931 - -matrix__synapse__reg_secret: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 66386664663864336530613438643534666361306331366639393261303933613430333934613833 - 6532383963306639616263616162353339633333343865350a666634323966373066643639616332 - 33346436323230386264343535376161376531376434626563373961636562343533303934363234 - 3033633366663030370a633566336136626138343930386237643736353166626334653364373162 - 63356337363962373331333865616663336634373133633165633833653166373939376231356439 - 63303839386134653333663462613136623937393162373465613233623931643039613339336462 - 346332383032363866643637376563376639 - -matrix__synapse__macaroon_secret: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 62653661363330626261303164636665336164383662343462373061356561326338343830306534 - 3339633839333036333561643438346562646636333539650a396565306430653965303765396537 - 63333437633964333236643239633561373332373365663835613437386139383333323364386462 - 6638346532306130620a626563326663333562313464346338626533666237616231666465653239 - 66336332663130623862396636373435303438383066313932653532333337316263613964343165 - 66656639666664323933316339396634613134356336383239353638643730636235633732333764 - 396330653436636161313939646233653834 - -matrix__synapse__form_secret: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 30386164303933346363353063653137366636636535393761383930336132396162623835656134 - 6563663236623163613865633638343530336337353261310a636636636639326162633933306131 - 66383137393839396164633638336564356562666462383935373961313964316165343232343839 - 3637623531363435610a356134316431343639336462333838373438323664643235346337663834 - 33366663666563613733386135316665323735626336333039383333313232313862623564643937 - 35643863343836656163653764353035326433653239393034386433663165663066343764613834 - 363666366630653364303235643064303031 - -matrix__synapse__recaptcha_public_key: '6LcJ26wZAAAAABVW68GFDaZn0RM1Ros6DUfkND_9' - -matrix__synapse__recaptcha_private_key: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 64663161393264383535653233343433613131393065626564613937306666373932636464383763 - 3464613232333631656535396431643037616636353231660a313936613636666663633437353530 - 34613433306136373131363862313161656637373936366163313966643762656136376331306133 - 3932306230633030340a633639643332313765333963356131376238313762343130303065613533 - 32363433373132623431663763646434353666333837663738363766383566313463313139623939 - 3330643537663461333330336266396531363763376236643061 - -matrix__media_repo__postgres: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 32343261616564383739383139636636306637616137366138623032303963363532326563303438 - 6263636534386534643539386138313965663533623935340a366531316136653131646137353566 - 30623962613061323939313230326433636330356436626366363464353762303832393332396536 - 3564376330383237310a643338663061636662343662346137333039636230666137656537383336 - 66383635323464623663303032303532393639313361646231323436613065373565623239376366 - 36613233626465376230646138356135636662663965373061616433656665356135616337386236 - 61316463386265336236346636626465353166373833336534343536313437306164663965646162 - 39353733353533353533306434353539383463346563656433313532376632343935653036393437 - 63386539326464346261393666326132383034623264663431313465343636376433343535356432 - 31633835356235376462656635383931363339353138353537326633393261313464383332393738 - 643434393863366439623237653737353439 - -matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' -matrix__media_repo__s3_bucket: 'crypto-libertarian-matrix-media-repo' - -matrix__media_repo__s3_access_key: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 35326162306233313937646565623563636538376464643739313462323535393366363262323565 - 3465623639303935623461336230646439663839343331320a663635343239366366623062346630 - 37626332323965383738366532313665383564366132383530613762643836333831393735666438 - 6132393437343464390a336339383439326338646137356634333534636236326438646433353965 - 63376165363038326337346139303961373565346265393836396439656131633263 - -matrix__media_repo__s3_access_secret: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 36316562306261323138663361353762393736343765346435633631353734663765343638383265 - 3132383663393161306464386336396265363962313764320a653862343933666461666134383434 - 38623661326462303962376535373862303235353131363361633736336231336536633338643233 - 3539663031633038360a316433343432663865393738366633376235653839326232663134303931 - 65363837313464616536333934353062353962363365353831623234363939636333616634323832 - 3466656664353839333966643333336432303435663232646664 - -matrix__static__user_id: '@1:crypto-libertarian.com' - -matrix__static__access_token: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 66626138616337666537383562623139356364633837376133326235396662306330663666336333 - 6538623736613538373235623866333066396539396138320a316363393664363332353138386261 - 34313935326433623763656433326533323233623738313063623938336664663230623033373032 - 3831393536313235300a313935313636353762346437633366336433343666383630373232616338 - 35346636343137356530373538303437306461393663393862356666326430363339333739653434 - 65343963653731626133343636633035393661373634373066633165356566623538663862376662 - 36343865643637306432656563626566666362393737666461316435666664323735323439653839 - 65353937393265356264316238356636376635356263623364363564616234616330646638323635 - 30326436656366336562393332386565616338643565316637343336663133373532636634323932 - 30333566363866313432366164613537353230356630383830653463623233316539326337316638 - 39356663343938356266373162333166366437303033643366313137323332643938626266303165 - 31636662663937613638366433316433393662386637623331383761393866336234633332306434 - 65363063636562633762373232323639393435623765376265613638616265353363636439373537 - 66633335303564656637653933363730366462363164306334386166663534333738356266626439 - 63393336333666616335656566653835393163656430333631386364396364313666333833633932 - 31663530646237376630366632336661316561336233636637333761363739343639363536626665 - 39376636373630383034393966316335363138643334396432346638633865383435313139663937 - 31336165666466613733326135656433633461653237396533643237353463363665646338663164 - 63316430663163303434346233316464386634623836373664336366313961353963663632666362 - 64626636376466333139 - -common__iptables__drop_by_default: true - -common__iptables__v4_filter: | - # Allow incoming HTTP, HTTPS, Matrix. - -A INPUT -p tcp -m multiport --dport 80,443,8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Deny other HTTP, HTTPS, Matrix. - -A INPUT -p tcp -m multiport --dport 80,443,8448 -j REJECT - -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -j REJECT - -common__iptables__v6_filter: '{{ common__iptables__v4_filter }}' diff --git a/host_vars/postgres.crypto-libertarian.com.yml b/host_vars/postgres.crypto-libertarian.com.yml deleted file mode 100644 index 8c1948e..0000000 --- a/host_vars/postgres.crypto-libertarian.com.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -ansible_become_pass_for: - kotovalexarian: !vault | - $ANSIBLE_VAULT;1.2;AES256;kotovalexarian - 61623634613531666632363233346539303131313038666132643464313263356162616661336339 - 6437356339396139346435636462613163396332313135620a383962643839393764616130663264 - 39363331653837376434613266623331333563343264383365336234666230633334313338623938 - 3562303035333732360a393931353339653539323732316137363532316234306461393265633763 - 64343336303765646239386265306435323230303764376439346530646138323137333461383766 - 3534613339653530643635316531356166313735623339613937 - xuhcc: !vault | - $ANSIBLE_VAULT;1.2;AES256;xuhcc - 33343933353961653437653139333435306663383434646339353763303530353731383438653337 - 3531393762396135366332396632653036346333623133650a306162326438333931303862383330 - 39626564333130623731343339663764643632323566393734346565353934656561386462326434 - 6538303365386631640a366330333135313464333962313638643465613836643037323833626131 - 39623562376439376665636537396339613462356131343763323437623334323463 - -ansible_become_pass: "{{ ansible_become_pass_for[admin] }}" - -common__certbot__cert_name: 'postgres.crypto-libertarian.com' -common__certbot__cert_domains: - - 'postgres.crypto-libertarian.com' - -postgresql_users: - - name: matrix_synapse - password: !vault | - $ANSIBLE_VAULT;1.2;AES256;postgres - 65363838636633623362663839303333346337646138333862373831343162343161356435336565 - 3032626439376630656338373464376463663935366134660a316136373261303331633836633937 - 30646533386163313136656138633437386366616234383265366261346636396130626333333235 - 3264356332336461320a323065616231663165613737646566336434663862306333393465366261 - 33373533393361356664343337353861313334623136353138643834336236306662383032316432 - 3336623036373964313036633434626239396139336666393361 - - name: matrix_media_repo - password: !vault | - $ANSIBLE_VAULT;1.2;AES256;postgres - 39386236643763333734653936616466376334636166646133653335626365373039356262376161 - 3439353138643533613166333562663134666539653431340a636231353663633033363034643232 - 63393063346332353765343961383730633266613532656234336266623538376332636361353932 - 6634626266333033330a626536333161663239353831306466323038373961663132306334386437 - 64376231643964363935633531643938616430396664393237613361626465373536643339656566 - 6233663734316163386434343332346364363362653934363162 - -postgresql_databases: - - name: matrix_synapse - owner: matrix_synapse - lc_collate: C - lc_ctype: C - - name: matrix_media_repo - owner: matrix_media_repo - lc_collate: C - lc_ctype: C - -postgresql_hba_entries: - - type: local - database: all - user: all - auth_method: peer - - - type: host - database: all - user: all - address: '127.0.0.1/32' - auth_method: md5 - - - type: host - database: all - user: all - address: '::1/128' - auth_method: md5 - - - type: hostssl - database: matrix_synapse - user: matrix_synapse - address: '134.209.196.172/32' - auth_method: md5 - - - type: hostssl - database: matrix_synapse - user: matrix_synapse - address: '2a03:b0c0:2:f0::142:3001/128' - auth_method: md5 - - - type: hostssl - database: matrix_synapse - user: matrix_synapse - address: '10.133.8.214/32' - auth_method: md5 - - - type: hostssl - database: matrix_media_repo - user: matrix_media_repo - address: '134.209.196.172/32' - auth_method: md5 - - - type: hostssl - database: matrix_media_repo - user: matrix_media_repo - address: '2a03:b0c0:2:f0::142:3001/128' - auth_method: md5 - - - type: hostssl - database: matrix_media_repo - user: matrix_media_repo - address: '10.133.8.214/32' - auth_method: md5 - - - type: host - database: all - user: all - address: '0.0.0.0/0' - auth_method: reject - - - type: host - database: all - user: all - address: '::/0' - auth_method: reject - -common__iptables__v4_filter: | - # Allow incoming HTTP for Certbot to work. - -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Deny other HTTP. - -A INPUT -p tcp --dport 80 -j REJECT - -A OUTPUT -p tcp --dport 80 -j REJECT - - # Allow incoming PostgreSQL from specific hosts. - -A INPUT -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT - -A INPUT -p tcp --dport 5432 -s 10.133.8.214/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Deny other PostgreSQL. - -A INPUT -p tcp --dport 5432 -j REJECT - -A OUTPUT -p tcp --sport 5432 -j REJECT - -common__iptables__v6_filter: | - # Allow incoming HTTP for Certbot to work. - -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Deny other HTTP. - -A INPUT -p tcp --dport 80 -j REJECT - -A OUTPUT -p tcp --dport 80 -j REJECT - - # Allow incoming PostgreSQL from specific hosts. - -A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Deny other PostgreSQL. - -A INPUT -p tcp --dport 5432 -j REJECT - -A OUTPUT -p tcp --sport 5432 -j REJECT diff --git a/hosts b/hosts index bac7397..aac8b41 100644 --- a/hosts +++ b/hosts @@ -1,6 +1 @@ git.crypto-libertarian.com -matrix.crypto-libertarian.com -postgres.crypto-libertarian.com - -[postgres] -postgres.crypto-libertarian.com diff --git a/playbooks/backup/postgres.yml b/playbooks/backup/postgres.yml deleted file mode 100644 index 1af3b14..0000000 --- a/playbooks/backup/postgres.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- hosts: postgres - tasks: - - name: Find PostgreSQL dumps - find: - paths: '{{ postgresql_backups_dir }}' - register: postgresql_dumps - - - name: Fetch PostgreSQL dumps - fetch: - src: '{{ item }}' - dest: ../../backups - with_items: "{{ postgresql_dumps.files | map(attribute='path') | list }}" diff --git a/playbooks/backup/site.yml b/playbooks/backup/site.yml index 324b44c..7e6cca9 100644 --- a/playbooks/backup/site.yml +++ b/playbooks/backup/site.yml @@ -1,3 +1,2 @@ --- - import_playbook: git.yml -- import_playbook: postgres.yml diff --git a/playbooks/deploy/matrix.yml b/playbooks/deploy/matrix.yml deleted file mode 100644 index de26cdd..0000000 --- a/playbooks/deploy/matrix.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: matrix.crypto-libertarian.com - module_defaults: - apt: - force_apt_get: true - update_cache: true - cache_valid_time: 86400 - roles: - - name: kotovalexarian.common - tags: common - - ../../roles/matrix diff --git a/playbooks/deploy/postgres.yml b/playbooks/deploy/postgres.yml deleted file mode 100644 index f56d413..0000000 --- a/playbooks/deploy/postgres.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- hosts: postgres - module_defaults: - apt: - force_apt_get: true - update_cache: true - cache_valid_time: 86400 - roles: - - name: kotovalexarian.common - tags: common - - geerlingguy.postgresql - tasks: - - name: Create daily Cron job for PostgreSQL backup - template: - src: ../../templates/pg_backup - dest: /etc/cron.daily/pg_backup - mode: 'u=rwx,g=rx,o=rx' - owner: root - group: root diff --git a/playbooks/deploy/site.yml b/playbooks/deploy/site.yml index e354b76..7e6cca9 100644 --- a/playbooks/deploy/site.yml +++ b/playbooks/deploy/site.yml @@ -1,4 +1,2 @@ --- - import_playbook: git.yml -- import_playbook: postgres.yml -- import_playbook: matrix.yml diff --git a/requirements.yml b/requirements.yml index 8918815..668fa7f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,5 +1,3 @@ --- - src: kotovalexarian.common version: v0.0.45 -- src: geerlingguy.postgresql - version: 2.2.1 diff --git a/roles/matrix/defaults/main.yml b/roles/matrix/defaults/main.yml deleted file mode 100644 index 5adefde..0000000 --- a/roles/matrix/defaults/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -matrix__site_host: 'example.com' -matrix__base_host: 'matrix.example.com' -matrix__web_host: 'element.example.com' - -matrix__site_url: 'https://example.com' -matrix__base_url: 'https://matrix.example.com' -matrix__web_url: 'https://element.example.com' - -matrix__admin_contact: 'mailto:user@example.com' -matrix__admin_user: '@user:example.com' - -matrix__base_ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem' -matrix__web_ssl_cert: '/etc/letsencrypt/live/element.example.com/fullchain.pem' - -matrix__base_ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem' -matrix__web_ssl_key: '/etc/letsencrypt/live/element.example.com/privkey.pem' - -matrix__synapse__pg_enable: false -matrix__synapse__pg_host: 'postgres.example.com' -matrix__synapse__pg_port: 5432 -matrix__synapse__pg_username: '' -matrix__synapse__pg_password: '' -matrix__synapse__pg_database: '' - -matrix__synapse__signing_key: '' -matrix__synapse__reg_secret: '' -matrix__synapse__macaroon_secret: '' -matrix__synapse__form_secret: '' - -matrix__synapse__recaptcha_public_key: '' -matrix__synapse__recaptcha_private_key: '' - -matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require' -matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' -matrix__media_repo__s3_access_key: '' -matrix__media_repo__s3_access_secret: '' -matrix__media_repo__s3_bucket: 'example-matrix-media-repo' - -matrix__static__user_id: '' -matrix__static__access_token: '' diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml deleted file mode 100644 index ec9755c..0000000 --- a/roles/matrix/handlers/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Restart Nginx - systemd: - name: nginx - state: restarted - -- name: Load, enable and restart Matrix Synapse - systemd: - name: '{{ matrix__synapse__service }}' - daemon_reload: true - enabled: true - state: restarted - -- name: Load, enable and restart Matrix Media Repo - systemd: - name: '{{ matrix__media_repo__service }}' - daemon_reload: true - enabled: true - state: restarted - -- name: Load, enable and restart Matrix Static - systemd: - name: '{{ matrix__static__service }}' - daemon_reload: true - enabled: true - state: restarted diff --git a/roles/matrix/tasks/common.yml b/roles/matrix/tasks/common.yml deleted file mode 100644 index 9d3c8cd..0000000 --- a/roles/matrix/tasks/common.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Create Matrix directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: root - group: root - with_items: - - '{{ matrix__conf_dir }}' - - '{{ matrix__opt_dir }}' - - '{{ matrix__lib_dir }}' - - '{{ matrix__run_dir }}' - -- name: Recreate Matrix rundirs - template: - src: '../templates/tmpfiles.d/matrix.conf' - dest: '/etc/tmpfiles.d/matrix.conf' - mode: 'u=rw,g=r,o=r' - owner: root - group: root diff --git a/roles/matrix/tasks/element.yml b/roles/matrix/tasks/element.yml deleted file mode 100644 index 157a52e..0000000 --- a/roles/matrix/tasks/element.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Create Matrix Element directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: root - group: root - with_items: - - '{{ matrix__element__opt_dir }}' - - '{{ matrix__element__src_dir }}' - -- name: Get Matrix Element source code - get_url: - url: '{{ matrix__element__url }}' - checksum: '{{ matrix__element__checksum }}' - dest: '{{ matrix__element__archive_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - -- name: Extract Matrix Element source code - unarchive: - remote_src: true - src: '{{ matrix__element__archive_file }}' - dest: '{{ matrix__element__src_dir }}' - creates: '{{ matrix__element__src_dir }}/index.html' - extra_opts: - - '--strip-components=1' - -- name: Create Matrix Element config - template: - src: '../templates/element/config.json' - dest: '{{ matrix__element__conf_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml deleted file mode 100644 index 3f7754c..0000000 --- a/roles/matrix/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- include_tasks: common.yml -- meta: flush_handlers - -- include_tasks: nginx.yml -- meta: flush_handlers - -- include_tasks: synapse.yml -- meta: flush_handlers - -- include_tasks: media_repo.yml -- meta: flush_handlers - -- include_tasks: static.yml -- meta: flush_handlers - -- include_tasks: element.yml -- meta: flush_handlers diff --git a/roles/matrix/tasks/media_repo.yml b/roles/matrix/tasks/media_repo.yml deleted file mode 100644 index 95cc4f8..0000000 --- a/roles/matrix/tasks/media_repo.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -- name: Install system packages for Matrix Media Repo - apt: - name: golang - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo system group - group: - name: '{{ matrix__media_repo__group }}' - system: true - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo system user - user: - name: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - system: true - create_home: true - home: '{{ matrix__media_repo__lib_dir }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - with_items: - - '{{ matrix__media_repo__conf_dir }}' - - '{{ matrix__media_repo__opt_dir }}' - - '{{ matrix__media_repo__src_dir }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo config - template: - src: '../templates/media_repo/config.yaml' - dest: '{{ matrix__media_repo__conf_file }}' - mode: 'u=rw,g=rw,o=' - owner: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo systemd service - template: - src: '../templates/media_repo/matrix-media-repo.service' - dest: '{{ matrix__media_repo__service_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - notify: Load, enable and restart Matrix Media Repo - -- name: Get Matrix Media Repo source code - become_user: '{{ matrix__media_repo__user }}' - git: - repo: 'https://github.com/turt2live/matrix-media-repo.git' - dest: '{{ matrix__media_repo__src_dir }}' - version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912' - -- name: Build Matrix Media Repo source code - become_user: '{{ matrix__media_repo__user }}' - command: - chdir: '{{ matrix__media_repo__src_dir }}' - creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo' - cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh' - notify: Load, enable and restart Matrix Media Repo diff --git a/roles/matrix/tasks/nginx.yml b/roles/matrix/tasks/nginx.yml deleted file mode 100644 index 0476f07..0000000 --- a/roles/matrix/tasks/nginx.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Create Nginx server configuration - template: - src: '../templates/nginx/matrix.conf' - dest: '/etc/nginx/sites-available/matrix.conf' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - notify: Restart Nginx - -- name: Enable Nginx server configuration - file: - state: link - src: '/etc/nginx/sites-available/matrix.conf' - dest: '/etc/nginx/sites-enabled/matrix.conf' - owner: root - group: root - notify: Restart Nginx diff --git a/roles/matrix/tasks/static.yml b/roles/matrix/tasks/static.yml deleted file mode 100644 index 052c266..0000000 --- a/roles/matrix/tasks/static.yml +++ /dev/null @@ -1,108 +0,0 @@ ---- -- name: Install system packages for Matrix Static - apt: - name: golang - notify: Load, enable and restart Matrix Static - -- name: Create Matrix Static system group - group: - name: '{{ matrix__static__group }}' - system: true - notify: Load, enable and restart Matrix Static - -- name: Create Matrix Static system user - user: - name: '{{ matrix__static__user }}' - group: '{{ matrix__static__group }}' - system: true - create_home: false - notify: Load, enable and restart Matrix Static - -- name: Create Matrix Static directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: '{{ matrix__static__user }}' - group: '{{ matrix__static__group }}' - with_items: - - '{{ matrix__static__conf_dir }}' - - '{{ matrix__static__opt_dir }}' - - '{{ matrix__static__src_dir }}' - - '{{ matrix__static__bin_dir }}' - notify: Load, enable and restart Matrix Static - -- name: Create Matrix Static config - template: - src: '../templates/static/config.json' - dest: '{{ matrix__static__conf_file }}' - mode: 'u=rw,g=rw,o=' - owner: '{{ matrix__static__user }}' - group: '{{ matrix__static__group }}' - notify: Load, enable and restart Matrix Static - -- name: Create Matrix Static systemd service - template: - src: '../templates/static/matrix-static.service' - dest: '{{ matrix__static__service_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - notify: Load, enable and restart Matrix Static - -- name: Get Matrix Static source code - get_url: - url: '{{ matrix__static__url }}' - checksum: '{{ matrix__static__checksum }}' - dest: '{{ matrix__static__archive_file }}' - mode: 'u=rw,g=rw,o=r' - owner: '{{ matrix__static__user }}' - group: '{{ matrix__static__group }}' - -- name: Extract Matrix Static source code - become_user: '{{ matrix__static__user }}' - unarchive: - remote_src: true - src: '{{ matrix__static__archive_file }}' - dest: '{{ matrix__static__src_dir }}' - creates: '{{ matrix__static__src_dir }}/README.md' - extra_opts: - - '--strip-components=1' - -- name: Get Quicktemplate source code - become_user: '{{ matrix__static__user }}' - git: - repo: 'https://github.com/valyala/quicktemplate.git' - dest: '{{ matrix__static__opt_dir }}/go-quicktemplate' - version: '1a0f4e9691adbb86df52cb2dd9adafa6a28585a0' - -- name: Install Quicktemplate - become_user: '{{ matrix__static__user }}' - command: - chdir: '{{ matrix__static__opt_dir }}/go-quicktemplate/qtc' - creates: '{{ matrix__static__opt_dir }}/go/bin/qtc' - cmd: 'go install .' - environment: - GOPATH: '{{ matrix__static__opt_dir }}/go' - GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' - -- name: Run Go executable qtc - become_user: '{{ matrix__static__user }}' - command: - chdir: '{{ matrix__static__src_dir }}' - creates: '{{ matrix__static__src_dir }}/templates/basepage.qtpl.go' - cmd: '{{ matrix__static__opt_dir }}/go/bin/qtc' - environment: - GOPATH: '{{ matrix__static__opt_dir }}/go' - GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' - -- name: Build Matrix Static source code - become_user: '{{ matrix__static__user }}' - command: - chdir: '{{ matrix__static__src_dir }}' - creates: '{{ matrix__static__bin_dir }}/matrix-static' - cmd: 'go build -o {{ matrix__static__bin_dir }} ./cmd/...' - environment: - GOPATH: '{{ matrix__static__opt_dir }}/go' - GOCACHE: '{{ matrix__static__opt_dir }}/go-cache' - notify: Load, enable and restart Matrix Static diff --git a/roles/matrix/tasks/synapse.yml b/roles/matrix/tasks/synapse.yml deleted file mode 100644 index f9c87ba..0000000 --- a/roles/matrix/tasks/synapse.yml +++ /dev/null @@ -1,145 +0,0 @@ ---- -- name: Install system packages for Matrix Synapse - apt: - name: - - build-essential - - libffi-dev - - libjpeg-dev - - libpq-dev - - libpq5 - - libssl-dev - - libxml2-dev - - libxslt1-dev - - python3-dev - - python3-pip - - python3-setuptools - - sqlite3 - - virtualenv - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse system group - group: - name: '{{ matrix__synapse__group }}' - system: true - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse system user - user: - name: '{{ matrix__synapse__user }}' - group: '{{ matrix__synapse__group }}' - system: true - create_home: false - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: '{{ matrix__synapse__user }}' - group: '{{ matrix__synapse__group }}' - with_items: - - '{{ matrix__synapse__conf_dir }}' - - '{{ matrix__synapse__conf_subdir }}' - - '{{ matrix__synapse__opt_dir }}' - - '{{ matrix__synapse__lib_dir }}' - - '{{ matrix__synapse__run_dir }}' - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse config - template: - src: '../templates/synapse/config/{{ item }}.yaml' - dest: '{{ matrix__synapse__conf_subdir }}/{{ item }}.yaml' - mode: 'u=rw,g=rw,o=' - owner: '{{ matrix__synapse__user }}' - group: '{{ matrix__synapse__group }}' - notify: Load, enable and restart Matrix Synapse - with_items: - - other - - database - - acme - - listeners - - url_preview - - captcha - - turn - - media_store - -- name: Create Matrix Synapse log config - template: - src: '../templates/synapse/log_config.yml' - dest: '{{ matrix__synapse__log_conf_file }}' - mode: 'u=rw,g=rw,o=r' - owner: '{{ matrix__synapse__user }}' - group: '{{ matrix__synapse__group }}' - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse signing key - copy: - content: "{{ matrix__synapse__signing_key }}\n" - dest: '{{ matrix__synapse__key_file }}' - mode: 'u=rw,g=rw,o=' - owner: '{{ matrix__synapse__user }}' - group: '{{ matrix__synapse__group }}' - notify: Load, enable and restart Matrix Synapse - -- name: Create Python virtual env - become_user: '{{ matrix__synapse__user }}' - command: - argv: - - 'virtualenv' - - '{{ matrix__synapse__venv_dir }}' - - '-p' - - 'python3' - creates: '{{ matrix__synapse__venv_dir }}' - notify: Load, enable and restart Matrix Synapse - -- name: Check Python packages - command: - argv: - - '{{ matrix__synapse__venv_dir }}/bin/pip' - - 'show' - - '{{ item }}' - with_items: - - 'matrix-synapse' - - 'lxml' - - 'netaddr' - - 'pip' - - 'psycopg2' - - 'setuptools' - ignore_errors: true - changed_when: false - register: packages_info - -- name: Upgrade Python packages - become_user: '{{ matrix__synapse__user }}' - command: - argv: - - '{{ matrix__synapse__venv_dir }}/bin/pip' - - 'install' - - '--upgrade' - - 'pip' - - 'setuptools' - when: packages_info | json_query('results[*].rc') | difference([0]) != [] - notify: Load, enable and restart Matrix Synapse - -- name: Install Python packages - become_user: '{{ matrix__synapse__user }}' - command: - argv: - - '{{ matrix__synapse__venv_dir }}/bin/pip' - - 'install' - - 'matrix-synapse' - - 'lxml' - - 'netaddr' - - 'psycopg2' - when: packages_info | json_query('results[*].rc') | difference([0]) != [] - notify: Load, enable and restart Matrix Synapse - -- name: Create Matrix Synapse systemd service - template: - src: '../templates/synapse/matrix-synapse.service' - dest: '{{ matrix__synapse__service_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - notify: Load, enable and restart Matrix Synapse diff --git a/roles/matrix/templates/element/config.json b/roles/matrix/templates/element/config.json deleted file mode 100644 index 492cad6..0000000 --- a/roles/matrix/templates/element/config.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "default_server_config": { - "m.homeserver": { - "base_url": "https://matrix-client.matrix.org", - "server_name": "matrix.org" - }, - "m.identity_server": { - "base_url": "https://vector.im" - } - }, - "disable_custom_urls": false, - "disable_guests": false, - "disable_login_language_selector": false, - "disable_3pid_login": false, - "brand": "Element", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", - "integrations_widgets_urls": [ - "https://scalar.vector.im/_matrix/integrations/v1", - "https://scalar.vector.im/api", - "https://scalar-staging.vector.im/_matrix/integrations/v1", - "https://scalar-staging.vector.im/api", - "https://scalar-staging.riot.im/scalar/api" - ], - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", - "defaultCountryCode": "GB", - "showLabsSettings": false, - "features": { - "feature_new_spinner": "labs", - "feature_pinning": "labs", - "feature_custom_status": "labs", - "feature_custom_tags": "labs", - "feature_state_counters": "labs" - }, - "default_federate": true, - "default_theme": "light", - "roomDirectory": { - "servers": [ - "matrix.org" - ] - }, - "welcomeUserId": "@riot-bot:matrix.org", - "piwik": { - "url": "https://piwik.riot.im/", - "whitelistedHSUrls": ["https://matrix.org"], - "whitelistedISUrls": ["https://vector.im", "https://matrix.org"], - "siteId": 1 - }, - "enable_presence_by_hs_url": { - "https://matrix.org": false, - "https://matrix-client.matrix.org": false - }, - "settingDefaults": { - "breadcrumbs": true - }, - "jitsi": { - "preferredDomain": "jitsi.riot.im" - } -} diff --git a/roles/matrix/templates/media_repo/config.yaml b/roles/matrix/templates/media_repo/config.yaml deleted file mode 100644 index 19e01af..0000000 --- a/roles/matrix/templates/media_repo/config.yaml +++ /dev/null @@ -1,539 +0,0 @@ -# General repo configuration -repo: - bindAddress: '127.0.0.1' - port: {{ matrix__media_repo__port }} - - # Where to store the logs, relative to where the repo is started from. Logs will be automatically - # rotated every day and held for 14 days. To disable the repo logging to files, set this to - # "-" (including quotation marks). - # - # Note: to change the log directory you'll have to restart the repository. This setting cannot be - # live reloaded. - logDirectory: '-' - - # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases - # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For - # header, but validates it to ensure the IP being given makes sense. - trustAnyForwardedAddress: false - - # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. - # Typically this should remain as true, though in some circumstances it may need to be disabled. - # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. - useForwardedHost: true - -# Options for dealing with federation -federation: - # On a per-host basis, the number of consecutive failures in calling the host before the - # media repo will back off. This defaults to 20 if not given. Note that 404 errors from - # the remote server do not count towards this. - backoffAt: 20 - -# The database configuration for the media repository -# Do NOT put your homeserver's existing database credentials here. Create a new database and -# user instead. Using the same server is fine, just not the same username and database. -database: - # Currently only "postgres" is supported. - postgres: "{{ matrix__media_repo__postgres }}" - - # The database pooling options - pool: - # The maximum number of connects to hold open. More of these allow for more concurrent - # processes to happen. - maxConnections: 25 - - # The maximum number of connects to leave idle. More of these reduces the time it takes - # to serve requests in low-traffic scenarios. - maxIdleConnections: 5 - -# The configuration for the homeservers this media repository is known to control. Servers -# not listed here will not be able to upload media. -homeservers: - - - # This should match the server_name of your homeserver, and the Host header - # provided to the media repo. - name: "{{ matrix__site_host }}" - - # The base URL to where the homeserver can actually be reached - csApi: "{{ matrix__base_url }}" - - # The number of consecutive failures in calling this homeserver before the - # media repository will start backing off. This defaults to 10 if not given. - backoffAt: 10 - - # The kind of admin API the homeserver supports. If set to "matrix", - # the media repo will use the Synapse-defined endpoints under the - # unstable client-server API. When this is "synapse", the new /_synapse - # endpoints will be used instead. Unknown values are treated as the - # default, "matrix". - adminApiKind: 'matrix' - -# Options for controlling how access tokens work with the media repo. It is recommended that if -# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints -# be proxied through this process. They will also be called on the homeserver, and the response -# sent straight through the client - they are simply used to invalidate the cache faster for -# a particular user. Without these, the access tokens might still work for a short period of time -# after the user has already invalidated them. -# -# This will also cache errors from the homeserver. -# -# Note that when this config block is used outside of a per-domain config, all hosts will be -# subject to the same cache. This also means that application services on limited homeservers -# could be authorized on the wrong domain. -# -# *************************************************************************** -# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * -# *************************************************************************** -accessTokens: - # The maximum time a cached access token will be considered valid. Set to zero (the default) - # to disable the cache and constantly hit the homeserver. This is recommended to be set to - # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and - # zero for servers who do not proxy the endpoints through. - maxCacheTimeSeconds: 0 - - # Whether or not to use the `appservices` config option below. If disabled (the default), - # the regular access token cache will be used for each user, potentially leading to high - # memory usage. - useLocalAppserviceConfig: false - - # The application services (and their namespaces) registered on the homeserver. Only used - # if `useLocalAppserviceConfig` is enabled (recommended). - # - # Usually the appservice will provide you with these config details - they'll just need - # translating from the appservice registration to here. Note that this does not require - # all options from the registration, and only requires the bare minimum required to run - # the media repo. - appservices: - - id: Name_of_appservice_for_your_reference - asToken: Secret_token_for_appservices_to_use - senderUserId: '@_example_bridge:yourdomain.com' - userNamespaces: - - regex: '@_example_bridge_.+:yourdomain.com' - # A note about regexes: it is best to suffix *all* namespaces with the homeserver - # domain users are valid for, as otherwise the appservice can use any user with - # any domain name it feels like, even if that domain is not configured with the - # media repo. This will lead to inaccurate reporting in the case of the media - # repo, and potentially leading to media being considered "remote". - -# These users have full access to the administrative functions of the media repository. -# See docs/admin.md for information on what these people can do. They must belong to one of the -# configured homeservers above. -admins: - - "{{ matrix__admin_user }}" - -# Shared secret auth is useful for applications building on top of the media repository, such -# as a management interface. The `token` provided here is treated as a repository administrator -# when shared secret auth is enabled: if the `token` is used in place of an access token, the' -# request will be authorized. This is not limited to any particular domain, giving applications -# the ability to use it on any configured hostname. -sharedSecretAuth: - # Set this to true to enable shared secret auth. - enabled: false - - # Use a secure value here to prevent unauthorized access to the media repository. - token: 'PutSomeRandomSecureValueHere' - -# Datastores are places where media should be persisted. This isn't dedicated for just uploads: -# thumbnails and other misc data is also stored in these places. When the media repo is looking -# to store new media (such as user uploads, thumbnails, etc) it will look for a datastore which -# is flagged as forUploads. It will try to use the smallest datastore first. -datastores: - - type: file - - # Enable this to set up data storage. - enabled: false - - # Datastores can be split into many areas when handling uploads. Media is still de-duplicated - # across all datastores (local content which duplicates remote content will re-use the remote - # content's location). This option is useful if your datastore is becoming very large, or if - # you want faster storage for a particular kind of media. - # - # The kinds available are: - # thumbnails - Used to store thumbnails of media (local and remote). - # remote_media - Original copies of remote media (servers not configured by this repo). - # local_media - Original uploads for local media. - # archives - Archives of content (GDPR and similar requests). - forKinds: ['thumbnails'] - - opts: - path: /var/matrix/media - - - type: s3 - - # Enable this to set up s3 uploads - enabled: true - - forKinds: ['thumbnails', 'remote_media', 'local_media', 'archives'] - - opts: - # The s3 uploader needs a temporary location to buffer files to reduce memory usage on - # small file uploads. If the file size is unknown, the file is written to this location - # before being uploaded to s3 (then the file is deleted). If you aren't concerned about - # memory usage, set this to an empty string. - tempPath: '' - endpoint: "{{ matrix__media_repo__s3_endpoint }}" - accessKeyId: "{{ matrix__media_repo__s3_access_key }}" - accessSecret: "{{ matrix__media_repo__s3_access_secret }}" - ssl: true - bucketName: "{{ matrix__media_repo__s3_bucket }}" - # An optional region for where this S3 endpoint is located. Typically not needed, though - # some providers will need this (like Scaleway). Uncomment to use. - #region: 'sfo2' - - # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If - # the feature is not enabled, this will not work. Note that IPFS support is experimental at - # the moment and not recommended for general use. - # - # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo - # puts authentication on the download endpoints. Only use this option for cases where you - # expect your media to be publicly accessible. - - type: ipfs - - # Enable this to use IPFS support - enabled: false - - forKinds: ['local_media'] - - # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured - # in the IPFS section of your main config. - opts: {} - -# Options for controlling archives. Archives are exports of a particular user's content for -# the purpose of GDPR or moving media to a different server. -archiving: - # Whether archiving is enabled or not. Default enabled. - enabled: true - - # If true, users can request a copy of their own data. By default, only repository administrators - # can request a copy. - # This includes the ability for homeserver admins to request a copy of their own server's - # data, as known to the repo. - selfService: false - - # The number of bytes to target per archive before breaking up the files. This is independent - # of any file upload limits and will require a similar amount of memory when performing an export. - # The file size is also a target, not a guarantee - it is possible to have files that are smaller - # or larger than the target. This is recommended to be approximately double the size of your - # file upload limit, provided there is enough memory available for the demand of exporting. - targetBytesPerPart: 209715200 # 200mb default - -# The file upload settings for the media repository -uploads: - maxBytes: 104857600 # 100MB default, 0 to disable - - # The minimum number of bytes to let people upload - minBytes: 100 # 100 bytes by default - - # The number of bytes to claim as the maximum size for uploads for the limits API. If this - # is not provided then the maxBytes setting will be used instead. This is useful to provide - # if the media repo's settings and the reverse proxy do not match for maximum request size. - # This is purely for informational reasons and does not actually limit any functionality. - # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. - #reportedMaxBytes: 104857600 - - # An optional list of file types that are allowed to be uploaded. If */* or nothing is - # supplied here, then all file types are allowed. Asterisks (*) are wildcards and can be - # placed anywhere to match everything (eg: "image/*" matches all images). This will also - # restrict which file types are downloaded from remote servers. - # - # Caution: the media repo cannot tell the difference between encrypted media and arbitrary - # binary data. For this reason, this option is deprecated and to be removed in a future - # version. - allowedTypes: - - '*/*' - - # Specific users can have their own set of allowed file types. These are applied instead - # of those listed in the allowedTypes list when a user is found. Much like allowedTypes, - # asterisks may be used in the content types and may also be used in the user IDs. This - # allows for entire servers to have different allowed types by setting a rule similar to - # "@*:example.org". Users will be allowed to upload a file if the type matches any of - # the policies that match the user ID. - # - # Caution: the media repo cannot tell the difference between encrypted media and arbitrary - # binary data. For this reason, this option is deprecated and to be removed in a future - # version. - #exclusions: - # '@someone:example.org': - # - 'application/pdf' - # - 'application/vnd.ms-excel' - # '@*:example.org': - # - '*/*' - - -# Settings related to downloading files from the media repository -downloads: - # The maximum number of bytes to download from other servers - maxBytes: 104857600 # 100MB default, 0 to disable - - # The number of workers to use when downloading remote media. Raise this number if remote - # media is downloading slowly or timing out. - # - # Maximum memory usage = numWorkers multiplied by the maximum download size - # Average memory usage is dependent on how many concurrent downloads your users are doing. - numWorkers: 10 - - # How long, in minutes, to cache errors related to downloading remote media. Once this time - # has passed, the media is able to be re-requested. - failureCacheMinutes: 5 - - # The cache control settings for downloads. This can help speed up downloads for users by - # keeping popular media in the cache. This cache is also used for thumbnails. - cache: - enabled: true - - # The maximum size of cache to have. Higher numbers are better. - maxSizeBytes: 1048576000 # 1GB default - - # The maximum file size to cache. This should normally be the same size as your maximum - # upload size. - maxFileSizeBytes: 104857600 # 100MB default - - # The number of minutes to track how many downloads a file gets - trackedMinutes: 30 - - # The number of downloads a file must receive in the window above (trackedMinutes) in - # order to be cached. - minDownloads: 5 - - # The minimum amount of time an item should remain in the cache. This prevents the cache - # from cycling out the file if it needs more room during this time. Note that the media - # repo regularly cleans out media which is past this point from the cache, so this number - # may need increasing depending on your use case. If the maxSizeBytes is reached for the - # media repo, and some cached items are still under this timer, new items will not be able - # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this - # timer. - minCacheTimeSeconds: 300 - - # The minimum amount of time an item should remain outside the cache once it is removed. - minEvictedTimeSeconds: 60 - - # How many days after a piece of remote content is downloaded before it expires. It can be - # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or - # negative to disable. Defaults to disabled. - expireAfterDays: 0 - -# URL Preview settings -urlPreviews: - enabled: true # If enabled, the preview_url routes will be accessible - maxPageSizeBytes: 10485760 # 10MB default, 0 to disable - - # If true, the media repository will try to provide previews for URLs with invalid or unsafe - # certificates. If false (the default), the media repo will fail requests to said URLs. - previewUnsafeCertificates: false - - # Note: URL previews are limited to a given number of words, which are then limited to a number - # of characters, taking off the last word if it needs to. This also applies for the title. - - numWords: 50 # The number of words to include in a preview (maximum) - maxLength: 200 # The maximum number of characters for a description - - numTitleWords: 30 # The maximum number of words to include in a preview's title - maxTitleLength: 150 # The maximum number of characters for a title - - # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are - # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be - # an image and the image's type must be allowed by the thumbnailer. - filePreviewTypes: - - 'image/*' - - # The number of workers to use when generating url previews. Raise this number if url - # previews are slow or timing out. - # - # Maximum memory usage = numWorkers multiplied by the maximum page size - # Average memory usage is dependent on how many concurrent urls your users are previewing. - numWorkers: 10 - - # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they - # will be merged. URL previews will be disabled if neither is supplied. Each entry must be - # a CIDR range. - disallowedNetworks: - - '127.0.0.1/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - allowedNetworks: - # "Everything". The blacklist will help limit this. - # This is the default value for this field. - - '0.0.0.0/0' - - # How many days after a preview is generated before it expires and is deleted. The preview - # can be regenerated safely - this just helps free up some space in your database. Set to - # zero or negative to disable. Defaults to disabled. - expireAfterDays: 0 - - # The default Accept-Language header to supply when generating URL previews when one isn't - # supplied by the client. - # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language - defaultLanguage: 'en-US,en' - -# The thumbnail configuration for the media repository. -thumbnails: - # The maximum number of bytes an image can be before the thumbnailer refuses. - maxSourceBytes: 10485760 # 10MB default, 0 to disable - - # The number of workers to use when generating thumbnails. Raise this number if thumbnails - # are slow to generate or timing out. - # - # Maximum memory usage = numWorkers multiplied by the maximum image source size - # Average memory usage is dependent on how many thumbnails are being generated by your users - numWorkers: 100 - - # All thumbnails are generated into one of the sizes listed here. The first size is used as - # the default for when no width or height is requested. The media repository will return - # either an exact match or the next largest size of thumbnail. - sizes: - - width: 32 - height: 32 - - width: 96 - height: 96 - - width: 320 - height: 240 - - width: 640 - height: 480 - - width: 800 - height: 600 - - # The content types to thumbnail when requested. Types that are not supported by the media repo - # will not be thumbnailed (adding application/json here won't work). Clients may still not request - # thumbnails for these types - this won't make clients automatically thumbnail these file types. - types: - - 'image/jpeg' - - 'image/jpg' - - 'image/png' - - 'image/gif' - - 'image/heif' - - 'image/webp' - #- 'image/svg+xml' # Be sure to have ImageMagick installed to thumbnail SVG files - - # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated - # thumbnails, set this to false. If disabled, regular thumbnails will be returned. - allowAnimated: true - - # Default to animated thumbnails, if available - defaultAnimated: false - - # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image - # is larger than this, the thumbnail will be generated as a static image. - maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable - - # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try - # and thumbnail animated content? Defaults to 0.5 (middle of animation). - stillFrame: 0.5 - - # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail - # can be regenerated safely - this just helps free up some space in your datastores. Set to - # zero or negative to disable. Defaults to disabled. - expireAfterDays: 0 - -# Controls for the rate limit functionality -rateLimit: - # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. - enabled: true - - # The number of requests per second before an IP will be rate limited. Must be a whole number. - requestsPerSecond: 1 - - # The number of requests an IP can send at once before the rate limit is actually considered. - burst: 10 - -# Identicons are generated avatars for a given username. Some clients use these to give users a -# default avatar after signing up. Identicons are not part of the official matrix spec, therefore -# this feature is completely optional. -identicons: - enabled: true - -# The quarantine media settings. -quarantine: - # If true, when a thumbnail of quarantined media is requested an image will be returned. If no - # image is given in the thumbnailPath below then a generated image will be provided. This does - # not affect regular downloads of files. - replaceThumbnails: true - - # If true, when media which has been quarantined is requested an image will be returned. If - # no image is given in the thumbnailPath below then a generated image will be provided. This - # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with - # an image). - replaceDownloads: false - - # If provided, the given image will be returned as a thumbnail for media that is quarantined. - #thumbnailPath: '/path/to/thumbnail.png' - - # If true, administrators of the configured homeservers may quarantine media for their server - # only. Global administrators can quarantine any media (local or remote) regardless of this - # flag. - allowLocalAdmins: true - -# The various timeouts that the media repo will use. -timeouts: - # The maximum amount of time the media repo should spend trying to fetch a resource that is - # being previewed. - urlPreviewTimeoutSeconds: 10 - - # The maximum amount of time the media repo will spend making remote requests to other repos - # or homeservers. This is primarily used to download media. - federationTimeoutSeconds: 120 - - # The maximum amount of time the media repo will spend talking to your configured homeservers. - # This is usually used to verify a user's identity. - clientServerTimeoutSeconds: 30 - -# Prometheus metrics configuration -# For an example Grafana dashboard, import the following JSON: -# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json -metrics: - # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. - enabled: false - - # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. - bindAddress: '127.0.0.1' - - # The port to listen on. Cannot be the same as the general web server port. - port: 9000 - -# Options for controlling various MSCs/unstable features of the media repo -# Sections of this config might disappear or be added over time. By default all -# features are disabled in here and must be explicitly enabled to be used. -featureSupport: - # MSC2248 - Blurhash - MSC2448: - # Whether or not this MSC is enabled for use in the media repo - enabled: false - - # Maximum dimensions for converting a blurhash to an image. When no width and - # height options are supplied, the default will be half these values. - maxWidth: 1024 - maxHeight: 1024 - - # Thumbnail size in pixels to use to generate the blurhash string - thumbWidth: 64 - thumbHeight: 64 - - # The X and Y components to use. Higher numbers blur less, lower numbers blur more. - xComponents: 4 - yComponents: 3 - - # The amount of contrast to apply when converting a blurhash to an image. Lower values - # make the effect more subtle, larger values make it stronger. - punch: 1 - - # IPFS Support - # This is currently experimental and might not work at all. - IPFS: - # Whether or not IPFS support is enabled for use in the media repo. - enabled: false - - # Options for the built in IPFS daemon - builtInDaemon: - # Enable this to spawn an in-process IPFS node to use instead of a localhost - # HTTP agent. If this is disabled, the media repo will assume you have an HTTP - # IPFS agent running and accessible. Defaults to using a daemon (true). - enabled: true - - # If the Daemon is enabled, set this to the location where the IPFS files should - # be stored. If you're using Docker, this should be something like "/data/ipfs" - # so it can be mapped to a volume. - repoPath: './ipfs' diff --git a/roles/matrix/templates/media_repo/matrix-media-repo.service b/roles/matrix/templates/media_repo/matrix-media-repo.service deleted file mode 100644 index bc3c8c5..0000000 --- a/roles/matrix/templates/media_repo/matrix-media-repo.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -After=network.target -Description=Matrix Media Repo - -[Service] -ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }} -Group={{ matrix__media_repo__group }} -Restart=always -RestartSec=1 -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier={{ matrix__media_repo__service }} -Type=simple -User={{ matrix__media_repo__user }} -WorkingDirectory={{ matrix__media_repo__opt_dir }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix/templates/nginx/matrix.conf b/roles/matrix/templates/nginx/matrix.conf deleted file mode 100644 index 1d54acb..0000000 --- a/roles/matrix/templates/nginx/matrix.conf +++ /dev/null @@ -1,140 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name {{ matrix__base_host }} {{ matrix__web_host }}; - - set $CSP ""; - set $CSP "${CSP}object-src 'none';"; - set $CSP "${CSP}frame-src 'none';"; - set $CSP "${CSP}connect-src 'none';"; - set $CSP "${CSP}form-action 'none';"; - - add_header Content-Security-Policy $CSP always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name {{ matrix__web_host }}; - - ssl_certificate {{ matrix__nginx__ssl_cert }}; - ssl_certificate_key {{ matrix__nginx__ssl_key }}; - - set $CSP ""; - set $CSP "${CSP}object-src 'none';"; - set $CSP "${CSP}frame-src 'none';"; - set $CSP "${CSP}connect-src 'self';"; - set $CSP "${CSP}form-action 'none';"; - - add_header Content-Security-Policy $CSP always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - - client_max_body_size 100M; - - if_modified_since off; - expires off; - etag off; - sendfile off; - - root {{ matrix__element__src_dir }}; - index index.html; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name {{ matrix__base_host }}; - - ssl_certificate {{ matrix__nginx__ssl_cert }}; - ssl_certificate_key {{ matrix__nginx__ssl_key }}; - - set $CSP ""; - set $CSP "${CSP}object-src 'none';"; - set $CSP "${CSP}frame-src 'none';"; - set $CSP "${CSP}connect-src 'none';"; - set $CSP "${CSP}form-action 'none';"; - - add_header Content-Security-Policy $CSP always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - - client_max_body_size 100M; - - location /_matrix/media { - proxy_read_timeout 60s; - proxy_set_header Host {{ matrix__site_host }}; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__media_repo__port }}; - } - - location /_matrix { - proxy_read_timeout 60s; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__synapse__port }}; - } - - location / { - proxy_read_timeout 60s; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__static__port }}; - } -} - -server { - listen 8448 ssl; - listen [::]:8448 ssl; - - server_name {{ matrix__base_host }}; - - ssl_certificate {{ matrix__nginx__ssl_cert }}; - ssl_certificate_key {{ matrix__nginx__ssl_key }}; - - set $CSP ""; - set $CSP "${CSP}object-src 'none';"; - set $CSP "${CSP}frame-src 'none';"; - set $CSP "${CSP}connect-src 'none';"; - set $CSP "${CSP}form-action 'none';"; - - add_header Content-Security-Policy $CSP always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - - client_max_body_size 100M; - - location /_matrix/media { - proxy_read_timeout 60s; - proxy_set_header Host {{ matrix__site_host }}; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__media_repo__port }}; - } - - location / { - proxy_read_timeout 60s; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__synapse__port }}; - } -} diff --git a/roles/matrix/templates/static/config.json b/roles/matrix/templates/static/config.json deleted file mode 100644 index 14997ce..0000000 --- a/roles/matrix/templates/static/config.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "access_token": "{{ matrix__static__access_token }}", - "device_id": "guest_device", - "home_server": "{{ matrix__base_url }}", - "refresh_token": "", - "user_id": "{{ matrix__static__user_id }}" -} diff --git a/roles/matrix/templates/static/matrix-static.service b/roles/matrix/templates/static/matrix-static.service deleted file mode 100644 index 810375d..0000000 --- a/roles/matrix/templates/static/matrix-static.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -After=network.target -Description=Matrix Static - -[Service] -Environment=PORT={{ matrix__static__port }} -ExecStart={{ matrix__static__opt_dir }}/bin/matrix-static --config-file {{ matrix__static__conf_file }} -Group={{ matrix__static__group }} -Restart=always -RestartSec=1 -StandardOutput=syslog -StandatdError=syslog -SyslogIdentifier={{ matrix__static__service }} -Type=simple -User={{ matrix__static__user }} -WorkingDirectory={{ matrix__static__src_dir }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix/templates/synapse/config/acme.yaml b/roles/matrix/templates/synapse/config/acme.yaml deleted file mode 100644 index 0539a36..0000000 --- a/roles/matrix/templates/synapse/config/acme.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Set this to `true` and uncomment - # tls_certificate_path and tls_private_key_path above to enable it. - # - enabled: false - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - account_key_file: /etc/matrix/synapse/acme_account.key diff --git a/roles/matrix/templates/synapse/config/captcha.yaml b/roles/matrix/templates/synapse/config/captcha.yaml deleted file mode 100644 index f59181a..0000000 --- a/roles/matrix/templates/synapse/config/captcha.yaml +++ /dev/null @@ -1,23 +0,0 @@ -## Captcha ## -# See docs/CAPTCHA_SETUP.md for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_public_key: '{{ matrix__synapse__recaptcha_public_key }}' - -# This homeserver's ReCAPTCHA private key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_private_key: '{{ matrix__synapse__recaptcha_private_key }}' - -# Uncomment to enable ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. Defaults to 'false'. -# -enable_registration_captcha: true - -# The API endpoint to use for verifying m.login.recaptcha responses. -# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". -# -#recaptcha_siteverify_api: "https://my.recaptcha.site" diff --git a/roles/matrix/templates/synapse/config/database.yaml b/roles/matrix/templates/synapse/config/database.yaml deleted file mode 100644 index 3f371d7..0000000 --- a/roles/matrix/templates/synapse/config/database.yaml +++ /dev/null @@ -1,55 +0,0 @@ -## Database ## - -# The 'database' setting defines the database that synapse uses to store all of -# its data. -# -# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or -# 'psycopg2' (for PostgreSQL). -# -# 'args' gives options which are passed through to the database engine, -# except for options starting 'cp_', which are used to configure the Twisted -# connection pool. For a reference to valid arguments, see: -# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect -# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS -# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ -# -# -# Example SQLite configuration: -# -#database: -# name: sqlite3 -# args: -# database: /path/to/homeserver.db -# -# -# Example Postgres configuration: -# -#database: -# name: psycopg2 -# args: -# user: synapse -# password: secretpassword -# database: synapse -# host: localhost -# cp_min: 5 -# cp_max: 10 -# -# For more information on using Synapse with Postgres, see `docs/postgres.md`. -# -{% if not matrix__synapse__pg_enable %} -database: - name: sqlite3 - args: - database: '{{ matrix__synapse__db_file }}' -{% else %} -database: - name: psycopg2 - args: - host: '{{ matrix__synapse__pg_host }}' - port: {{ matrix__synapse__pg_port }} - user: '{{ matrix__synapse__pg_username }}' - password: '{{ matrix__synapse__pg_password }}' - database: '{{ matrix__synapse__pg_database }}' - cp_min: 5 - cp_max: 10 -{% endif %} diff --git a/roles/matrix/templates/synapse/config/listeners.yaml b/roles/matrix/templates/synapse/config/listeners.yaml deleted file mode 100644 index 352ec58..0000000 --- a/roles/matrix/templates/synapse/config/listeners.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP comression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - # - # Disabled by default. To enable it, uncomment the following. (Note that you - # will also need to give Synapse a TLS key and certificate: see the TLS section - # below.) - # - #- port: 8448 - # type: http - # tls: true - # resources: - # - names: [client, federation] - - # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - # - # If you plan to use a reverse proxy, please see - # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. - # - - port: {{ matrix__synapse__port }} - tls: false - type: http - x_forwarded: true - bind_addresses: ['::1', '127.0.0.1'] - - resources: - - names: [client, federation] - compress: false - - # example additional_resources: - # - #additional_resources: - # "/_matrix/my/custom/endpoint": - # module: my_module.CustomRequestHandler - # config: {} - - # Turn on the twisted ssh manhole service on localhost on the given - # port. - # - #- port: 9000 - # bind_addresses: ['::1', '127.0.0.1'] - # type: manhole diff --git a/roles/matrix/templates/synapse/config/media_store.yaml b/roles/matrix/templates/synapse/config/media_store.yaml deleted file mode 100644 index 4d29570..0000000 --- a/roles/matrix/templates/synapse/config/media_store.yaml +++ /dev/null @@ -1,59 +0,0 @@ -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: '{{ matrix__synapse__media_dir }}' - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to store newly uploaded local files -# store_local: false -# # Whether to store newly downloaded remote files -# store_remote: false -# # Whether to wait for successful storage for local uploads -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -max_upload_size: 100M - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale diff --git a/roles/matrix/templates/synapse/config/other.yaml b/roles/matrix/templates/synapse/config/other.yaml deleted file mode 100644 index d33c88b..0000000 --- a/roles/matrix/templates/synapse/config/other.yaml +++ /dev/null @@ -1,1752 +0,0 @@ -# Configuration file for Synapse. -# -# This is a YAML file: see [1] for a quick introduction. Note in particular -# that *indentation is important*: all the elements of a list or dictionary -# should have the same indentation. -# -# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - -## Server ## - -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. -# -server_name: '{{ matrix__site_host }}' - -# When running as a daemon, the file to store the pid in -# -pid_file: '{{ matrix__synapse__pid_file }}' - -# The absolute URL to the web client which /_matrix/client will redirect -# to if 'webclient' is configured under the 'listeners' configuration. -# -# This option can be also set to the filesystem path to the web client -# which will be served at /_matrix/client/ if 'webclient' is configured -# under the 'listeners' configuration, however this is a security risk: -# https://github.com/matrix-org/synapse#security-note -# -#web_client_location: https://riot.example.com/ - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# -public_baseurl: '{{ matrix__base_url }}' - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -# -#use_presence: false - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -# -#require_auth_for_profile_requests: true - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -#limit_profile_requests_to_users_who_share_rooms: true - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -allow_public_rooms_without_auth: true - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -allow_public_rooms_over_federation: true - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -#default_room_version: "5" - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is -1, means no upper limit. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: true - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com - -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. -# -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -federation_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - -# Forward extremities can build up in a room due to networking delays between -# homeservers. Once this happens in a large room, calculation of the state of -# that room can become quite expensive. To mitigate this, once the number of -# forward extremities reaches a given threshold, Synapse will send an -# org.matrix.dummy_event event, which will reduce the forward extremities -# in the room. -# -# This setting defines the threshold (i.e. number of forward extremities in the -# room) at which dummy events are sent. The default value is 10. -# -#dummy_events_threshold: 5 - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -admin_contact: '{{ matrix__admin_contact }}' - -# Global blocking -# -#hs_disabled: false -#hs_disabled_message: 'Human readable reason for why the HS is blocked' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -# 'mau_limit_alerting' is a means of limiting client side alerting -# should the mau limit be reached. This is useful for small instances -# where the admin has 5 mau seats (say) for 5 specific people and no -# interest increasing the mau limit further. Defaults to True, which -# means that alerting is enabled -# -#limit_usage_by_mau: false -#max_mau_value: 50 -#mau_trial_days: 2 -#mau_limit_alerting: false - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: false - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# -limit_remote_rooms: - # Uncomment to enable room complexity checking. - # - #enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # - #complexity: 0.5 - - # override the error which is returned when the room is too complex. - # - #complexity_error: "This room is too complex." - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, a user won't be able to send a - # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' - # that's not within this range. This is especially useful in closed federations, - # in which server admins can make sure every federating server applies the same - # rules. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - #purge_jobs: - # - shortest_max_lifetime: 1d - # longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # longest_max_lifetime: 1y - # interval: 1d - -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). -# -#tls_certificate_path: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem' - -# PEM-encoded private key for TLS -# -#tls_private_key_path: '/etc/letsencrypt/live/matrix.example.com/privkey.pem' - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - - - -## Caching ## - -# Caching can be configured through the following options. -# -# A cache 'factor' is a multiplier that can be applied to each of -# Synapse's caches in order to increase or decrease the maximum -# number of entries that can be stored. - -# The number of events to cache in memory. Not affected by -# caches.global_factor. -# -#event_cache_size: 10K - -caches: - # Controls the global cache factor, which is the default cache factor - # for all caches if a specific factor for that cache is not otherwise - # set. - # - # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment - # variable. Setting by environment variable takes priority over - # setting through the config file. - # - # Defaults to 0.5, which will half the size of all caches. - # - #global_factor: 1.0 - - # A dictionary of cache name to cache factor for that individual - # cache. Overrides the global cache factor for a given cache. - # - # These can also be set through environment variables comprised - # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital - # letters and underscores. Setting by environment variable - # takes priority over setting through the config file. - # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 - # - # Some caches have '*' and other characters that are not - # alphanumeric or underscores. These caches can be named with or - # without the special characters stripped. For example, to specify - # the cache factor for `*stateGroupCache*` via an environment - # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. - # - per_cache_factors: - #get_users_who_share_room_with_user: 2.0 - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: '{{ matrix__synapse__log_conf_file }}' - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 - - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: true - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' - -# Enable 3PIDs lookup requests to identity servers from this server. -# -enable_3pid_lookup: false - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: '{{ matrix__synapse__reg_secret }}' - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -allow_guest_access: true - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# The list of identity servers trusted to verify third party -# identifiers by this server. -# -# Also defines the ID server which will be called when an account is -# deactivated (one will be picked arbitrarily). -# -# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity -# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a -# background migration script, informing itself that the identity server all of its -# 3PIDs have been bound to is likely one of the below. -# -# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and -# it is now solely used for the purposes of the background migration script, and can be -# removed once it has run. -#trusted_third_party_id_servers: -# - matrix.org -# - vector.im - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless. This is due to Synapse currently not supporting any -# method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process - -# Whether users are allowed to change their displayname after it has -# been initially set. Useful when provisioning users based on the -# contents of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_displayname: false - -# Whether users are allowed to change their avatar after it has been -# initially set. Useful when provisioning users based on the contents -# of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_avatar_url: false - -# Whether users can change the 3PIDs associated with their accounts -# (email address and msisdn). -# -# Defaults to 'true' -# -#enable_3pid_changes: false - -# Users who register on this homeserver will automatically be joined -# to these rooms -# -#auto_join_rooms: -# - "#example:example.com" - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -#autocreate_auto_join_rooms: true - -# When auto_join_rooms is specified, setting this flag to false prevents -# guest accounts from being automatically joined to the rooms. -# -# Defaults to true. -# -#auto_join_rooms_for_guests: false - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -#enable_metrics: false - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -#sentry: -# dsn: "..." - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a gauge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -# -report_stats: true - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -# -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" - - -# A list of application service config files to use -# -#app_service_config_files: -# - app_service_1.yaml -# - app_service_2.yaml - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: true - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: '{{ matrix__synapse__macaroon_secret }}' - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: '{{ matrix__synapse__form_secret }}' - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: '{{ matrix__synapse__key_file }}' - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: - - server_name: 'matrix.org' - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -## Single sign-on integration ## - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# (You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - #sp_config: - # # point this to the IdP's metadata. You can use either a local file or - # # (preferably) a URL. - # metadata: - # #local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/opt/synapse/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 5 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page to display to users if something goes wrong during the - # authentication process: 'saml_error.html'. - # - # When rendering, this template is given the following variables: - # * code: an HTML error code corresponding to the error that is being - # returned (typically 400 or 500) - # - # * msg: a textual message describing the error. - # - # The variables will automatically be HTML-escaped. - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# OpenID Connect integration. The following settings can be used to make Synapse -# use an OpenID Connect Provider for authentication, instead of its internal -# password database. -# -# See https://github.com/matrix-org/synapse/blob/master/openid.md. -# -oidc_config: - # Uncomment the following to enable authorization against an OpenID Connect - # server. Defaults to false. - # - #enabled: true - - # Uncomment the following to disable use of the OIDC discovery mechanism to - # discover endpoints. Defaults to true. - # - #discover: false - - # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to - # discover the provider's endpoints. - # - # Required if 'enabled' is true. - # - #issuer: "https://accounts.example.com/" - - # oauth2 client id to use. - # - # Required if 'enabled' is true. - # - #client_id: "provided-by-your-issuer" - - # oauth2 client secret to use. - # - # Required if 'enabled' is true. - # - #client_secret: "provided-by-your-issuer" - - # auth method to use when exchanging the token. - # Valid values are 'client_secret_basic' (default), 'client_secret_post' and - # 'none'. - # - #client_auth_method: client_secret_post - - # list of scopes to request. This should normally include the "openid" scope. - # Defaults to ["openid"]. - # - #scopes: ["openid", "profile"] - - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" - - # the OIDC userinfo endpoint. Required if discovery is disabled and the - # "openid" scope is not requested. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" - - # URI where to fetch the JWKS. Required if discovery is disabled and the - # "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - - # Uncomment to skip metadata verification. Defaults to false. - # - # Use this if you are connecting to a provider that is not OpenID Connect - # compliant. - # Avoid this in production. - # - #skip_verification: true - - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. - # - # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers - # for information on implementing a custom mapping provider. - # - #module: mapping_provider.OidcMappingProvider -{% raw %} - # Custom configuration values for the module. This section will be passed as - # a Python dictionary to the user mapping provider module's `parse_config` - # method. - # - # The examples below are intended for the default provider: they should be - # changed if using a custom provider. - # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID. - # - # When rendering, this template is given the following variables: - # * user: The claims returned by the UserInfo Endpoint and/or in the ID - # Token - # - # This must be configured if using the default mapping provider. - # - localpart_template: "{{ user.preferred_username }}" - - # Jinja2 template for the display name to set on first login. - # - # If unset, no displayname will be set. - # - #display_name_template: "{{ user.given_name }} {{ user.last_name }}" -{% endraw %} - - - -# Enable CAS for registration and login. -# -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #displayname_attribute: name -# #required_attributes: -# # name: value - - -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. - # - # By default, this list is empty. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ - - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. - # - # When rendering, this template is given three variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. Needs manual escaping - # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * server_name: the homeserver's name. - # - # * HTML page which notifies the user that they are authenticating to confirm - # an operation on their account during the user interactive authentication - # process: 'sso_auth_confirm.html'. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * description: the operation which the user is being asked to confirm - # - # * HTML page shown after a successful user interactive authentication session: - # 'sso_auth_success.html'. - # - # Note that this page must include the JavaScript which notifies of a successful authentication - # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). - # - # This template has no additional variables. - # - # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) - # attempts to login: 'sso_account_deactivated.html'. - # - # This template has no additional variables. - # - # * HTML page to display to users if something goes wrong during the - # OpenID Connect authentication process: 'sso_error.html'. - # - # When rendering, this template is given two variables: - # * error: the technical name of the error - # * error_description: a human-readable message for the error - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -#jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - - -password_config: - # Uncomment to disable password login - # - #enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - #localdb_enabled: false - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - #pepper: "EVEN_MORE_SECRET" - - # Define and enforce a password policy. Each parameter is optional. - # This is an implementation of MSC2000. - # - policy: - # Whether to enforce the password policy. - # Defaults to 'false'. - # - #enabled: true - - # Minimum accepted length for a password. - # Defaults to 0. - # - #minimum_length: 15 - - # Whether a password must contain at least one digit. - # Defaults to 'false'. - # - #require_digit: true - - # Whether a password must contain at least one symbol. - # A symbol is any character that's not a number or a letter. - # Defaults to 'false'. - # - #require_symbol: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_lowercase: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_uppercase: true - - -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - - # app_name defines the default value for '%(app)s' in notif_from. It - # defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - - # Uncomment the following to enable sending emails for messages that the user - # has missed. Disabled by default. - # - #enable_notifs: true - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in the password reset email: 'password_reset_success.html' and - # 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# Password providers allow homeserver administrators to integrate -# their Synapse installation with existing authentication methods -# ex. LDAP, external tokens, etc. -# -# For more information and known implementations, please see -# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md -# -# Note: instances wishing to use SAML or CAS authentication should -# instead use the `saml2_config` or `cas_config` options, -# respectively. -# -password_providers: -# # Example config for an LDAP auth provider -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" - - - -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. -# -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true - - -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] - - -# Uncomment to allow non-server-admin users to create groups on this server -# -#enable_group_creation: true - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial/" - - - -# User Directory configuration -# -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -user_directory: - enabled: true - search_all_users: true - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: true -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: false -# policy_name: Privacy Policy -# - - - -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# -# -#stats: -# enabled: true -# bucket_size: 1d -# retention: 1y - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches agaisnt the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By defult, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - - # Logging whether spans were started and reported - # - # logging: - # false diff --git a/roles/matrix/templates/synapse/config/turn.yaml b/roles/matrix/templates/synapse/config/turn.yaml deleted file mode 100644 index c1fd306..0000000 --- a/roles/matrix/templates/synapse/config/turn.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{} - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -#turn_uris: [] - -# The shared secret used to compute passwords for the TURN server -# -#turn_shared_secret: "YOUR_SHARED_SECRET" - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -#turn_allow_guests: true diff --git a/roles/matrix/templates/synapse/config/url_preview.yaml b/roles/matrix/templates/synapse/config/url_preview.yaml deleted file mode 100644 index c774b94..0000000 --- a/roles/matrix/templates/synapse/config/url_preview.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -url_preview_enabled: true - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -url_preview_url_blacklist: - # blacklist any URL with a username in its URI - - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -#max_spider_size: 10M - -# A list of values for the Accept-Language HTTP header used when -# downloading webpages during URL preview generation. This allows -# Synapse to specify the preferred languages that URL previews should -# be in when communicating with remote servers. -# -# Each value is a IETF language tag; a 2-3 letter identifier for a -# language, optionally followed by subtags separated by '-', specifying -# a country or region variant. -# -# Multiple values can be provided, and a weight can be added to each by -# using quality value syntax (;q=). '*' translates to any language. -# -# Defaults to "en". -# -# Example: -# -# url_preview_accept_language: -# - en-UK -# - en-US;q=0.9 -# - fr;q=0.8 -# - *;q=0.7 -# -url_preview_accept_language: - - ru - - en;q=0.9 diff --git a/roles/matrix/templates/synapse/log_config.yml b/roles/matrix/templates/synapse/log_config.yml deleted file mode 100644 index e6618e1..0000000 --- a/roles/matrix/templates/synapse/log_config.yml +++ /dev/null @@ -1,35 +0,0 @@ -# Log configuration for Synapse. -# -# This is a YAML file containing a standard Python logging configuration -# dictionary. See [1] for details on the valid settings. -# -# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema - -version: 1 - -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - -filters: - context: - (): synapse.logging.context.LoggingContextFilter - request: '' - -handlers: - console: - class: logging.StreamHandler - formatter: precise - filters: [context] - -loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: INFO - -root: - level: INFO - handlers: [console] - -disable_existing_loggers: false diff --git a/roles/matrix/templates/synapse/matrix-synapse.service b/roles/matrix/templates/synapse/matrix-synapse.service deleted file mode 100644 index 381f496..0000000 --- a/roles/matrix/templates/synapse/matrix-synapse.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -After=network.target -Description=Matrix Synapse - -[Service] -ExecStart={{ matrix__synapse__venv_dir }}/bin/synctl --no-daemonize start {{ matrix__synapse__conf_subdir }} -Group={{ matrix__synapse__group }} -Restart=always -RestartSec=1 -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier={{ matrix__synapse__service }} -Type=simple -User={{ matrix__synapse__user }} -WorkingDirectory={{ matrix__synapse__opt_dir }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix/templates/tmpfiles.d/matrix.conf b/roles/matrix/templates/tmpfiles.d/matrix.conf deleted file mode 100644 index 2ad0653..0000000 --- a/roles/matrix/templates/tmpfiles.d/matrix.conf +++ /dev/null @@ -1,2 +0,0 @@ -d {{ matrix__run_dir }} 0775 root root -d {{ matrix__synapse__run_dir }} 0775 matrix-synapse matrix-synapse diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml deleted file mode 100644 index a101650..0000000 --- a/roles/matrix/vars/main.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -matrix__synapse__user: 'matrix-synapse' -matrix__synapse__group: 'matrix-synapse' -matrix__synapse__service: 'matrix-synapse' - -matrix__media_repo__user: 'matrix-media-repo' -matrix__media_repo__group: 'matrix-media-repo' -matrix__media_repo__service: 'matrix-media-repo' - -matrix__static__user: 'matrix-static' -matrix__static__group: 'matrix-static' -matrix__static__service: 'matrix-static' - -matrix__synapse__port: 8001 -matrix__media_repo__port: 8002 -matrix__static__port: 8003 - -matrix__conf_dir: '/etc/matrix' -matrix__opt_dir: '/opt/matrix' -matrix__lib_dir: '/var/lib/matrix' -matrix__run_dir: '/var/run/matrix' - -matrix__synapse__conf_dir: '{{ matrix__conf_dir }}/synapse' -matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse' -matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse' -matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse' - -matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo' -matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo' -matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo' - -matrix__static__conf_dir: '{{ matrix__conf_dir }}/static' -matrix__static__opt_dir: '{{ matrix__opt_dir }}/static' - -matrix__element__opt_dir: '{{ matrix__opt_dir }}/element' - -matrix__synapse__conf_subdir: '{{ matrix__synapse__conf_dir }}/config' -matrix__synapse__log_conf_file: '{{ matrix__synapse__conf_dir }}/log_config.yml' -matrix__synapse__key_file: '{{ matrix__synapse__conf_dir }}/signing_key' -matrix__synapse__venv_dir: '{{ matrix__synapse__opt_dir }}/venv' -matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store' -matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db' -matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid' - -matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml' -matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz' -matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src' - -matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json' -matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz' -matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src' -matrix__static__bin_dir: '{{ matrix__static__opt_dir }}/bin' - -matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz' -matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src' -matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json' - -matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service' -matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service' -matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service' - -matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz' -matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz' - -matrix__static__checksum: 'sha256:6de2b7360b2deaef7c011acebd061d6bcdae3799ee40a2f7f371744920aa45eb' -matrix__element__checksum: 'sha256:5e69f862529d429d2d9064de210c16364de48cd38d0ef8ee9a099c096071b5ab' diff --git a/templates/pg_backup b/templates/pg_backup deleted file mode 100644 index 6a4c1a7..0000000 --- a/templates/pg_backup +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -e - -sudo -u postgres sh -e -c "test -d {{ postgresql_backups_dir }} && find {{ postgresql_backups_dir }} -type f -mtime +7 -exec rm {} \;" -sudo -u postgres sh -e -c "mkdir -p {{ postgresql_backups_dir }} && umask 077 && pg_dumpall | gzip > {{ postgresql_backups_dir }}/$(TZ=UTC date +"%Y_%m_%d_%H_%M_%S").gz"