3a5f82267b
As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates.
141 lines
5.6 KiB
YAML
141 lines
5.6 KiB
YAML
---
|
|
|
|
- name: Ensure Matrix Synapse paths exists
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
with_items:
|
|
- "{{ matrix_synapse_config_dir_path }}"
|
|
- "{{ matrix_synapse_run_path }}"
|
|
# We handle matrix_synapse_media_store_path below, not here,
|
|
# because if it's using S3fs and it's already mounted (from before),
|
|
# trying to chown/chmod it here will cause trouble.
|
|
|
|
- name: Check Matrix Synapse media store path
|
|
stat: path="{{ matrix_synapse_media_store_path }}"
|
|
register: local_path_media_store_stat
|
|
|
|
# This is separate and conditional, to ensure we don't execute it
|
|
# if the path already exists (and is likely used by an s3fs mount).
|
|
- name: Ensure Matrix media store path exists
|
|
file:
|
|
path: "{{ matrix_synapse_media_store_path }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
when: "not local_path_media_store_stat.stat.exists"
|
|
|
|
- name: Ensure Matrix Docker image is pulled
|
|
docker_image:
|
|
name: "{{ docker_matrix_image }}"
|
|
|
|
- name: Check if a Matrix Synapse configuration exists
|
|
stat:
|
|
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
register: matrix_synapse_config_stat
|
|
|
|
- name: Generate initial Matrix config
|
|
docker_container:
|
|
name: matrix-config
|
|
image: "{{ docker_matrix_image }}"
|
|
detach: no
|
|
cleanup: yes
|
|
command: generate
|
|
env:
|
|
SERVER_NAME: "{{ hostname_matrix }}"
|
|
REPORT_STATS: "no"
|
|
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
|
volumes:
|
|
- "{{ matrix_synapse_config_dir_path }}:/data"
|
|
when: "not matrix_synapse_config_stat.stat.exists"
|
|
|
|
- name: Augment Matrix log config
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
|
args:
|
|
regexp: "{{ item.regexp }}"
|
|
line: '{{ item.line }}'
|
|
with_items:
|
|
- {"regexp": "^ filename:", "line": ' filename: /matrix-run/homeserver.log'}
|
|
- {"regexp": "^ maxBytes:", "line": ' maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}'}
|
|
- {"regexp": "^ backupCount:", "line": ' backupCount: {{ matrix_max_log_files_count }}'}
|
|
|
|
- name: Augment Matrix config
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "{{ item.regexp }}"
|
|
line: '{{ item.line }}'
|
|
with_items:
|
|
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
|
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
|
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
|
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
|
- {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'}
|
|
- {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'}
|
|
|
|
- name: Augment Matrix config (specify URL previews blacklist)
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "^url_preview_ip_range_blacklist:"
|
|
line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]'
|
|
insertafter: '^# url_preview_ip_range_blacklist:$'
|
|
|
|
# We only wish to do this for the 8008 port and not for the 8448 port
|
|
# (2nd instance of `x_forwarded` found in the config)
|
|
- name: Augment Matrix config (mark 8008 plain traffic as forwarded)
|
|
replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "8008((?:.|\n)*)x_forwarded(.*)"
|
|
replace: '8008\g<1>x_forwarded: true'
|
|
|
|
- name: Augment Matrix config (change database from SQLite to Postgres)
|
|
lineinfile:
|
|
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
regexp: '(.*)name: "sqlite3"'
|
|
line: '\1name: "psycopg2"'
|
|
backrefs: yes
|
|
|
|
- name: Augment Matrix config (set the Postgres connection parameters)
|
|
replace:
|
|
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n'
|
|
replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n'
|
|
|
|
- name: Augment Matrix config (configure Coturn)
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf"
|
|
args:
|
|
regexp: "^{{ item.variable }}="
|
|
line: '{{ item.variable }}={{ item.value }}'
|
|
with_items:
|
|
- {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"}
|
|
- {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"}
|
|
- {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"}
|
|
|
|
- name: Allow access to Matrix ports in firewalld
|
|
firewalld:
|
|
port: "{{ item }}"
|
|
state: enabled
|
|
immediate: yes
|
|
permanent: yes
|
|
with_items:
|
|
- '8448/tcp' # Matrix federation
|
|
- '3478/tcp' # STUN
|
|
- '3478/udp' # STUN
|
|
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
|
|
when: ansible_os_family == 'RedHat'
|
|
|
|
- name: Ensure matrix-synapse.service installed
|
|
template:
|
|
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
|
|
dest: "/etc/systemd/system/matrix-synapse.service"
|
|
mode: 0644
|
|
|
|
- name: Ensure matrix-synapse-register-user script created
|
|
template:
|
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
|
dest: "/usr/local/bin/matrix-synapse-register-user"
|
|
mode: 0750
|