pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
matrix-docker-ansible-deploy/roles/matrix-server/defaults/main.yml
Slavi Pantaleev 3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port 
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00

74 lines
3.3 KiB
YAML
Raw Blame History

# The bare hostname which represents your identity.
# This is something like "example.com".
# Note: this playbook does not touch the server referenced here.
hostname_identity: "{{ host_specific_hostname_identity }}"
# This is where your data lives and what we set up here.
# This and the Riot hostname (see below) are expected to be on the same server.
hostname_matrix: "matrix.{{ hostname_identity }}"
# This is where you access the web UI from and what we set up here.
# This and the Matrix hostname (see above) are expected to be on the same server.
hostname_riot: "riot.{{ hostname_identity }}"
matrix_user_username: "matrix"
matrix_user_uid: 991
matrix_user_gid: 991
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_base_data_path: "/matrix"
matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}"
matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_media_store_path: "{{ matrix_synapse_base_path }}/media-store"
matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad"
docker_postgres_image: "postgres:9.6.5-alpine"
docker_matrix_image: "silviof/docker-matrix:latest"
docker_nginx_image: "nginx:1.13.5-alpine"
docker_riot_image: "silviof/matrix-riot-docker:latest"
docker_s3fs_image: "xueshanf/s3fs:latest"
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_max_upload_size_mb: 10
matrix_max_log_file_size_mb: 100
matrix_max_log_files_count: 10
matrix_s3_media_store_enabled: false
matrix_s3_media_store_bucket_name: "your-bucket-name"
matrix_s3_media_store_aws_access_key: "your-aws-access-key"
matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect (UTC time).
matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *"
Reference in a new issue View git blame Copy permalink