Add support for storing Matrix Synapse's media_store to Amazon S3
This commit is contained in:
parent
9b97ab6a90
commit
9c68b057b0
44
README.md
44
README.md
|
@ -10,11 +10,13 @@ Using this playbook, you can get the following services configured on your serve
|
||||||
|
|
||||||
- a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network
|
- a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network
|
||||||
|
|
||||||
|
- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse)
|
||||||
|
|
||||||
- a [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database
|
- a [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database
|
||||||
|
|
||||||
- a [STUN server](https://github.com/coturn/coturn) for WebRTC audio/video calls
|
- a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls
|
||||||
|
|
||||||
- a [Riot](https://riot.im/) web UI
|
- a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default
|
||||||
|
|
||||||
- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI
|
- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI
|
||||||
|
|
||||||
|
@ -33,6 +35,8 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
|
||||||
|
|
||||||
- this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you
|
- this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you
|
||||||
|
|
||||||
|
- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/)
|
||||||
|
|
||||||
Special thanks goes to:
|
Special thanks goes to:
|
||||||
|
|
||||||
- [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration
|
- [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration
|
||||||
|
@ -91,6 +95,42 @@ You can follow these steps:
|
||||||
- edit the inventory hosts file (`inventory/hosts`) to your liking
|
- edit the inventory hosts file (`inventory/hosts`) to your liking
|
||||||
|
|
||||||
|
|
||||||
|
## Amazon S3 configuration (optional)
|
||||||
|
|
||||||
|
If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3,
|
||||||
|
you can let this playbook configure [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) for you.
|
||||||
|
|
||||||
|
You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy:
|
||||||
|
|
||||||
|
```
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "Stmt1400105486000",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"s3:*"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:s3:::your-bucket-name",
|
||||||
|
"arn:aws:s3:::your-bucket-name/*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
You then need to enable S3 support in your configuration file (`inventory/matrix.<your-domain>/vars.yml`).
|
||||||
|
It would be something like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
matrix_s3_media_store_bucket_name: "your-bucket-name"
|
||||||
|
matrix_s3_media_store_aws_access_key: "access-key-goes-here"
|
||||||
|
matrix_s3_media_store_aws_secret_key: "secret-key-goes-here"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Installing
|
## Installing
|
||||||
|
|
||||||
Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing.
|
Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing.
|
||||||
|
|
|
@ -35,9 +35,10 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
|
||||||
matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad"
|
matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad"
|
||||||
|
|
||||||
docker_postgres_image: "postgres:9.6.3-alpine"
|
docker_postgres_image: "postgres:9.6.3-alpine"
|
||||||
docker_matrix_image: "silviof/docker-matrix"
|
docker_matrix_image: "silviof/docker-matrix:latest"
|
||||||
docker_nginx_image: "nginx:1.13.3-alpine"
|
docker_nginx_image: "nginx:1.13.3-alpine"
|
||||||
docker_riot_image: "silviof/matrix-riot-docker"
|
docker_riot_image: "silviof/matrix-riot-docker:latest"
|
||||||
|
docker_s3fs_image: "xueshanf/s3fs:latest"
|
||||||
|
|
||||||
# Specifies when to restart the Matrix services so that
|
# Specifies when to restart the Matrix services so that
|
||||||
# a new SSL certificate could go into effect (UTC time).
|
# a new SSL certificate could go into effect (UTC time).
|
||||||
|
@ -51,4 +52,9 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
|
||||||
|
|
||||||
matrix_max_upload_size_mb: 10
|
matrix_max_upload_size_mb: 10
|
||||||
matrix_max_log_file_size_mb: 100
|
matrix_max_log_file_size_mb: 100
|
||||||
matrix_max_log_files_count: 10
|
matrix_max_log_files_count: 10
|
||||||
|
|
||||||
|
matrix_s3_media_store_enabled: false
|
||||||
|
matrix_s3_media_store_bucket_name: "your-bucket-name"
|
||||||
|
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
|
||||||
|
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
|
|
@ -42,13 +42,37 @@
|
||||||
# It's wasteful to preserve owner/group now. We chown below anyway.
|
# It's wasteful to preserve owner/group now. We chown below anyway.
|
||||||
owner: no
|
owner: no
|
||||||
group: no
|
group: no
|
||||||
|
# The default of times=yes does not work when s3fs is used.
|
||||||
|
times: "{{ False if matrix_s3_media_store_enabled else True }}"
|
||||||
|
perms: "{{ False if matrix_s3_media_store_enabled else True }}"
|
||||||
|
|
||||||
- name: Ensure media store permissions are correct
|
# This is for the generic case and fails for remote file systems,
|
||||||
|
# because the base path (matrix_synapse_media_store_path) is a mount point.
|
||||||
|
- name: Ensure media store permissions are correct (generic case)
|
||||||
file:
|
file:
|
||||||
path: "{{ matrix_synapse_media_store_path }}"
|
path: "{{ matrix_synapse_media_store_path }}"
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
group: "{{ matrix_user_username }}"
|
group: "{{ matrix_user_username }}"
|
||||||
recurse: yes
|
recurse: yes
|
||||||
|
when: "not matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
|
- name: Determine media store subdirectories
|
||||||
|
find: paths="{{ local_path_media_store }}" file_type=directory
|
||||||
|
delegate_to: 127.0.0.1
|
||||||
|
become: false
|
||||||
|
register: media_store_directories_result
|
||||||
|
when: "matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
|
# This is the s3fs special case. We chown the subdirectories one by one,
|
||||||
|
# without touching the base directory.
|
||||||
|
- name: Ensure media store permissions are correct (s3fs)
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_synapse_media_store_path }}/{{ item.path|basename }}"
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_username }}"
|
||||||
|
recurse: yes
|
||||||
|
with_items: "{{ media_store_directories_result.files }}"
|
||||||
|
when: "matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
- name: Ensure Matrix Synapse is started (if it previously was)
|
- name: Ensure Matrix Synapse is started (if it previously was)
|
||||||
service: name="{{ item }}" state=started daemon_reload=yes
|
service: name="{{ item }}" state=started daemon_reload=yes
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- include: tasks/setup_s3fs.yml
|
||||||
|
tags:
|
||||||
|
- setup-main
|
||||||
|
- setup-s3fs
|
||||||
|
|
||||||
- include: tasks/setup_base.yml
|
- include: tasks/setup_base.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
|
49
roles/matrix-server/tasks/setup_s3fs.yml
Normal file
49
roles/matrix-server/tasks/setup_s3fs.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
#
|
||||||
|
# Tasks related to setting up s3fs
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Ensure S3fs Docker image is pulled
|
||||||
|
docker_image:
|
||||||
|
name: "{{ docker_s3fs_image }}"
|
||||||
|
when: matrix_s3_media_store_enabled
|
||||||
|
|
||||||
|
- name: Ensure s3fs-credentials file created
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/s3fs-credentials.j2"
|
||||||
|
dest: "{{ matrix_base_data_path }}/s3fs-credentials"
|
||||||
|
owner: root
|
||||||
|
mode: 0600
|
||||||
|
when: matrix_s3_media_store_enabled
|
||||||
|
|
||||||
|
- name: Ensure matrix-s3fs.service installed
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/systemd/matrix-s3fs.service.j2"
|
||||||
|
dest: "/etc/systemd/system/matrix-s3fs.service"
|
||||||
|
mode: 0644
|
||||||
|
when: matrix_s3_media_store_enabled
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to getting rid of s3fs (if it was previously enabled)
|
||||||
|
#
|
||||||
|
- name: Ensure matrix-s3fs is stopped
|
||||||
|
service: name=matrix-s3fs state=stopped daemon_reload=yes
|
||||||
|
register: stopping_result
|
||||||
|
when: "not matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
|
- name: Ensure matrix-s3fs.service doesn't exist
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_base_data_path }}/s3fs-credentials"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
|
- name: Ensure s3fs-credentials doesn't exist
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_base_data_path }}/s3fs-credentials"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_s3_media_store_enabled"
|
||||||
|
|
||||||
|
- name: Ensure S3fs Docker image doesn't exist
|
||||||
|
docker_image:
|
||||||
|
name: "{{ docker_s3fs_image }}"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_s3_media_store_enabled"
|
|
@ -11,7 +11,24 @@
|
||||||
- "{{ matrix_synapse_base_path }}"
|
- "{{ matrix_synapse_base_path }}"
|
||||||
- "{{ matrix_synapse_config_dir_path }}"
|
- "{{ matrix_synapse_config_dir_path }}"
|
||||||
- "{{ matrix_synapse_run_path }}"
|
- "{{ matrix_synapse_run_path }}"
|
||||||
- "{{ matrix_synapse_media_store_path }}"
|
# We handle matrix_synapse_media_store_path below, not here,
|
||||||
|
# because if it's using S3fs and it's already mounted (from before),
|
||||||
|
# trying to chown/chmod it here will cause trouble.
|
||||||
|
|
||||||
|
- name: Check Matrix Synapse media store path
|
||||||
|
stat: path="{{ matrix_synapse_media_store_path }}"
|
||||||
|
register: local_path_media_store_stat
|
||||||
|
|
||||||
|
# This is separate and conditional, to ensure we don't execute it
|
||||||
|
# if the path already exists (and is likely used by an s3fs mount).
|
||||||
|
- name: Ensure Matrix media store path exists
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_synapse_media_store_path }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0750
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_username }}"
|
||||||
|
when: "not local_path_media_store_stat.stat.exists"
|
||||||
|
|
||||||
- name: Ensure Matrix Docker image is pulled
|
- name: Ensure Matrix Docker image is pulled
|
||||||
docker_image:
|
docker_image:
|
||||||
|
|
|
@ -3,6 +3,10 @@
|
||||||
- name: Ensure matrix-postgres autoruns and is restarted
|
- name: Ensure matrix-postgres autoruns and is restarted
|
||||||
service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes
|
service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes
|
||||||
|
|
||||||
|
- name: Ensure matrix-s3fs autoruns and is restarted
|
||||||
|
service: name=matrix-s3fs enabled=yes state=restarted daemon_reload=yes
|
||||||
|
when: matrix_s3_media_store_enabled
|
||||||
|
|
||||||
- name: Ensure matrix-synapse autoruns and is restarted
|
- name: Ensure matrix-synapse autoruns and is restarted
|
||||||
service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes
|
service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes
|
||||||
|
|
||||||
|
|
1
roles/matrix-server/templates/s3fs-credentials.j2
Normal file
1
roles/matrix-server/templates/s3fs-credentials.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{{ matrix_s3_media_store_aws_access_key }}:{{ matrix_s3_media_store_aws_secret_key }}
|
35
roles/matrix-server/templates/systemd/matrix-s3fs.service.j2
Normal file
35
roles/matrix-server/templates/systemd/matrix-s3fs.service.j2
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Matrix S3fs media store
|
||||||
|
After=docker.service
|
||||||
|
Requires=docker.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStartPre=-/usr/bin/docker kill %n
|
||||||
|
ExecStartPre=-/usr/bin/docker rm %n
|
||||||
|
ExecStartPre=-/usr/bin/mkdir /tmp/matrix-s3fs-cache
|
||||||
|
ExecStart=/usr/bin/docker run --rm --name %n \
|
||||||
|
-v {{ matrix_base_data_path }}/s3fs-credentials:/s3fs-credentials \
|
||||||
|
--security-opt apparmor:unconfined \
|
||||||
|
--cap-add mknod \
|
||||||
|
--cap-add sys_admin \
|
||||||
|
--device=/dev/fuse \
|
||||||
|
-v {{ matrix_synapse_media_store_path }}:/media-store:shared \
|
||||||
|
-v /tmp/matrix-s3fs-cache:/s3fs-cache \
|
||||||
|
{{ docker_s3fs_image }} \
|
||||||
|
/usr/bin/s3fs -f \
|
||||||
|
-o allow_other \
|
||||||
|
-o use_cache=/s3fs-cache \
|
||||||
|
-o storage_class=standard_ia \
|
||||||
|
-o passwd_file=/s3fs-credentials \
|
||||||
|
{{ matrix_s3_media_store_bucket_name }} /media-store
|
||||||
|
TimeoutStartSec=5min
|
||||||
|
ExecStop=-/usr/bin/docker stop %n
|
||||||
|
ExecStop=-/usr/bin/docker kill %n
|
||||||
|
ExecStop=-/usr/bin/docker rm %n
|
||||||
|
ExecStop=-/usr/bin/rm -rf /tmp/matrix-s3fs-cache
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -4,6 +4,10 @@ After=docker.service
|
||||||
Requires=docker.service
|
Requires=docker.service
|
||||||
Requires=matrix-postgres.service
|
Requires=matrix-postgres.service
|
||||||
After=matrix-postgres.service
|
After=matrix-postgres.service
|
||||||
|
{% if matrix_s3_media_store_enabled %}
|
||||||
|
After=matrix-s3fs.service
|
||||||
|
Requires=matrix-s3fs.service
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
|
Loading…
Reference in a new issue