From fbccf37df6c211a5feabdf96c882580adc1993d5 Mon Sep 17 00:00:00 2001 From: "J. Doe" Date: Tue, 24 Sep 2019 11:19:03 +0200 Subject: [PATCH] add requirements file,hosts.ini and README --- .gitlab-ci.yml.disabled | 32 ---- README.md | 14 +- ansible.cfg | 3 +- gitlab-ci-inventory.ini | 5 - requirements.yml | 18 +++ .../geerlingguy.pip/meta/.galaxy_install_info | 2 +- roles/geerlingguy.postgresql/.travis.yml | 1 + .../meta/.galaxy_install_info | 4 +- roles/geerlingguy.postgresql/meta/main.yml | 12 +- .../molecule/default/playbook.yml | 11 ++ .../tasks/configure.yml | 2 +- roles/geerlingguy.postgresql/tasks/main.yml | 4 +- .../tasks/setup-RedHat.yml | 8 +- .../tasks/variables.yml | 8 +- .../geerlingguy.postgresql/vars/Debian-NA.yml | 10 -- .../vars/Debian-buster/sid.yml | 10 -- .../vars/Debian-testing.yml | 10 -- .../geerlingguy.postgresql/vars/Fedora-29.yml | 12 ++ .../geerlingguy.postgresql/vars/Fedora-30.yml | 13 ++ .../geerlingguy.postgresql/vars/Ubuntu-14.yml | 10 -- roles/synapse/.gitignore | 1 + roles/synapse/.gitlab-ci.yml | 24 +++ roles/synapse/meta/.galaxy_install_info | 2 + roles/synapse/synapse | 1 + roles/synapse/tasks/configure.yml | 64 ++++++++ roles/synapse/tasks/crypto.yml | 32 ++++ roles/synapse/tasks/deployment.yml | 78 ++++++++++ roles/synapse/tasks/generate_secret.yml | 27 ++++ roles/synapse/tasks/logging.yml | 35 +++++ roles/synapse/tasks/main.yml | 16 ++ roles/synapse/tasks/systemd.yml | 8 + roles/synapse/templates/logrotate.j2 | 10 ++ .../templates/matrix-synapse.service.j2 | 16 ++ .../synapse/templates/syslog-synapse.conf.j2 | 2 + roles/synapse/tests/.gitignore | 2 + roles/synapse/tests/Vagrantfile | 25 ++++ roles/synapse/tests/ansible.cfg | 3 + roles/synapse/tests/requirements.yml | 4 + roles/synapse/tests/test-docker.yml | 52 +++++++ roles/synapse/tests/test-pip.yml | 44 ++++++ roles/synapse/vars/main.yml | 141 ++++++++++++++++++ 41 files changed, 685 insertions(+), 91 deletions(-) delete mode 100644 .gitlab-ci.yml.disabled delete mode 100644 gitlab-ci-inventory.ini create mode 100644 requirements.yml delete mode 100644 roles/geerlingguy.postgresql/vars/Debian-NA.yml delete mode 100644 roles/geerlingguy.postgresql/vars/Debian-buster/sid.yml delete mode 100644 roles/geerlingguy.postgresql/vars/Debian-testing.yml create mode 100644 roles/geerlingguy.postgresql/vars/Fedora-29.yml create mode 100644 roles/geerlingguy.postgresql/vars/Fedora-30.yml delete mode 100644 roles/geerlingguy.postgresql/vars/Ubuntu-14.yml create mode 100644 roles/synapse/.gitignore create mode 100644 roles/synapse/.gitlab-ci.yml create mode 100644 roles/synapse/meta/.galaxy_install_info create mode 120000 roles/synapse/synapse create mode 100644 roles/synapse/tasks/configure.yml create mode 100644 roles/synapse/tasks/crypto.yml create mode 100644 roles/synapse/tasks/deployment.yml create mode 100644 roles/synapse/tasks/generate_secret.yml create mode 100644 roles/synapse/tasks/logging.yml create mode 100644 roles/synapse/tasks/main.yml create mode 100644 roles/synapse/tasks/systemd.yml create mode 100644 roles/synapse/templates/logrotate.j2 create mode 100644 roles/synapse/templates/matrix-synapse.service.j2 create mode 100644 roles/synapse/templates/syslog-synapse.conf.j2 create mode 100644 roles/synapse/tests/.gitignore create mode 100644 roles/synapse/tests/Vagrantfile create mode 100644 roles/synapse/tests/ansible.cfg create mode 100644 roles/synapse/tests/requirements.yml create mode 100644 roles/synapse/tests/test-docker.yml create mode 100644 roles/synapse/tests/test-pip.yml create mode 100644 roles/synapse/vars/main.yml diff --git a/.gitlab-ci.yml.disabled b/.gitlab-ci.yml.disabled deleted file mode 100644 index 2fda69b..0000000 --- a/.gitlab-ci.yml.disabled +++ /dev/null @@ -1,32 +0,0 @@ -stages: - # - ansible-lint - - deploy_app - -# ansible-lint: -# only: -# - master -# stage: ansible-lint -# image: yokogawa/ansible-lint -# allow_failure: true -# script: - -# - 'ansible-lint setup.yml' - -deploy_app: - only: - - master - stage: deploy_app - # TODO: use private ubuntu w/ ansible image to not reinstall ansible at every build - # not working: - # image: williamyeh/ansible:ubuntu18.04 - # running systemd requires privileged container so instead of running services we run processes as daemons - # not working: - # image: jrei/systemd-ubuntu:latest - image: ubuntu:latest - script: - - apt-add-repository --yes --update ppa:ansible/ansible - # useless? - # - apt update - # sudo is used by some roles and not installed on docker - - apt install --yes sudo software-properties-common ansible - - "ansible-playbook -i gitlab-ci-inventory.ini setup.yml -vv --extra-var docker_enabled=true" diff --git a/README.md b/README.md index 958fd66..66d98f9 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,15 @@ # Fuz Playbooks -Playbooks for (relatively) easy sysadmin! \ No newline at end of file +Playbooks for (relatively) easy sysadmin! + +## With Vagrant +1. `vagrant up` +2. Install ansible +3. Install the roles: `ansible-galaxy install -r requirements.yml` +4. Launch the playbook: `ansible-playbook setup.yml` + +## With a real server +1. Edit the file `hosts.ini` +2. Install ansible +3. Install the roles: `ansible-galaxy install -r requirements.yml` +4. Launch the playbook: `ansible-playbook setup.yml` \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index dbd6b04..ad4cc0d 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,4 @@ [defaults] inventory = hosts.ini -host_key_checking = False \ No newline at end of file +host_key_checking = False +roles_path = roles/ \ No newline at end of file diff --git a/gitlab-ci-inventory.ini b/gitlab-ci-inventory.ini deleted file mode 100644 index e1fe8be..0000000 --- a/gitlab-ci-inventory.ini +++ /dev/null @@ -1,5 +0,0 @@ -docker-shared-runner ansible_connection=local become=true -[postgresql] -docker-shared-runner -[synapse] -docker-shared-runner \ No newline at end of file diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..26f2666 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,18 @@ +# from galaxy +- src: geerlingguy.pip +- src: geerlingguy.postgresql + +# from GitHub, overriding the name and specifying a specific tag +# - src: https://github.com/bennojoy/nginx +# version: master +# name: nginx_role + +# from a webserver, where the role is packaged in a tar.gz +# - src: https://some.webserver.example.com/files/master.tar.gz +# name: http-role + + +# from GitLab or other git-based scm, using git+ssh +- src: https://gitlab.com/famedly/ansible/synapse + scm: git + # version: "0.1" # quoted, so YAML doesn't parse this as a floating-point value diff --git a/roles/geerlingguy.pip/meta/.galaxy_install_info b/roles/geerlingguy.pip/meta/.galaxy_install_info index ae48908..430bcb1 100644 --- a/roles/geerlingguy.pip/meta/.galaxy_install_info +++ b/roles/geerlingguy.pip/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Thu Sep 12 20:00:01 2019 +install_date: Tue Sep 24 09:13:41 2019 version: 1.3.0 diff --git a/roles/geerlingguy.postgresql/.travis.yml b/roles/geerlingguy.postgresql/.travis.yml index 22de535..7aab231 100644 --- a/roles/geerlingguy.postgresql/.travis.yml +++ b/roles/geerlingguy.postgresql/.travis.yml @@ -7,6 +7,7 @@ env: - ROLE_NAME: postgresql matrix: - MOLECULE_DISTRO: centos7 + - MOLECULE_DISTRO: fedora30 - MOLECULE_DISTRO: ubuntu1804 - MOLECULE_DISTRO: ubuntu1604 - MOLECULE_DISTRO: debian10 diff --git a/roles/geerlingguy.postgresql/meta/.galaxy_install_info b/roles/geerlingguy.postgresql/meta/.galaxy_install_info index 6baa449..bd7ee9b 100644 --- a/roles/geerlingguy.postgresql/meta/.galaxy_install_info +++ b/roles/geerlingguy.postgresql/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Thu Sep 12 20:01:17 2019 -version: 1.4.6 +install_date: Tue Sep 24 09:13:46 2019 +version: 2.0.0 diff --git a/roles/geerlingguy.postgresql/meta/main.yml b/roles/geerlingguy.postgresql/meta/main.yml index ccdd857..2c962a6 100644 --- a/roles/geerlingguy.postgresql/meta/main.yml +++ b/roles/geerlingguy.postgresql/meta/main.yml @@ -12,12 +12,20 @@ galaxy_info: versions: - 6 - 7 + - name: Fedora + versions: + - 29 + - 30 - name: Ubuntu versions: - - all + - xenial + - bionic - name: Debian versions: - - all + - wheezy + - jessie + - stretch + - buster galaxy_tags: - database - postgresql diff --git a/roles/geerlingguy.postgresql/molecule/default/playbook.yml b/roles/geerlingguy.postgresql/molecule/default/playbook.yml index 5f152a6..a437c51 100644 --- a/roles/geerlingguy.postgresql/molecule/default/playbook.yml +++ b/roles/geerlingguy.postgresql/molecule/default/playbook.yml @@ -10,6 +10,17 @@ - name: jdoe pre_tasks: + # The Fedora 30+ container images have only C.UTF-8 installed + - name: Set database locale if using Fedora 30+ + set_fact: + postgresql_databases: + - name: example + lc_collate: 'C.UTF-8' + lc_ctype: 'C.UTF-8' + when: + - ansible_distribution == 'Fedora' + - ansible_distribution_major_version >= '30' + - name: Update apt cache. apt: update_cache=true cache_valid_time=600 when: ansible_os_family == 'Debian' diff --git a/roles/geerlingguy.postgresql/tasks/configure.yml b/roles/geerlingguy.postgresql/tasks/configure.yml index 26a6f68..28504a5 100644 --- a/roles/geerlingguy.postgresql/tasks/configure.yml +++ b/roles/geerlingguy.postgresql/tasks/configure.yml @@ -16,7 +16,7 @@ group: "{{ postgresql_group }}" mode: 0600 notify: restart postgresql - when: postgresql_hba_entries + when: postgresql_hba_entries | length > 0 - name: Ensure PostgreSQL unix socket dirs exist. file: diff --git a/roles/geerlingguy.postgresql/tasks/main.yml b/roles/geerlingguy.postgresql/tasks/main.yml index 1cbee02..5d4f5fe 100644 --- a/roles/geerlingguy.postgresql/tasks/main.yml +++ b/roles/geerlingguy.postgresql/tasks/main.yml @@ -17,9 +17,7 @@ name: "{{ postgresql_daemon }}" state: "{{ postgresql_service_state }}" enabled: "{{ postgresql_service_enabled }}" - when: not docker_enabled - # Configure PostgreSQL. -- import_tasks: databases.yml - import_tasks: users.yml +- import_tasks: databases.yml diff --git a/roles/geerlingguy.postgresql/tasks/setup-RedHat.yml b/roles/geerlingguy.postgresql/tasks/setup-RedHat.yml index 9cd84ed..d536bcb 100644 --- a/roles/geerlingguy.postgresql/tasks/setup-RedHat.yml +++ b/roles/geerlingguy.postgresql/tasks/setup-RedHat.yml @@ -1,12 +1,16 @@ --- - name: Ensure PostgreSQL packages are installed. - package: + yum: name: "{{ postgresql_packages }}" state: present enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}" + # Don't let postgresql-contrib cause the /usr/bin/python symlink + # to be installed, which breaks later Ansible runs on Fedora 30, + # and affects system behavior in multiple ways. + exclude: python-unversioned-command - name: Ensure PostgreSQL Python libraries are installed. - package: + yum: name: "{{ postgresql_python_library }}" state: present enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}" diff --git a/roles/geerlingguy.postgresql/tasks/variables.yml b/roles/geerlingguy.postgresql/tasks/variables.yml index df3538b..7f45154 100644 --- a/roles/geerlingguy.postgresql/tasks/variables.yml +++ b/roles/geerlingguy.postgresql/tasks/variables.yml @@ -6,7 +6,13 @@ - name: Include OS-specific variables (RedHat). include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml" - when: ansible_os_family == 'RedHat' + when: + - ansible_os_family == 'RedHat' + - ansible_distribution != 'Fedora' + +- name: Include OS-specific variables (Fedora). + include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_distribution == 'Fedora' - name: Define postgresql_packages. set_fact: diff --git a/roles/geerlingguy.postgresql/vars/Debian-NA.yml b/roles/geerlingguy.postgresql/vars/Debian-NA.yml deleted file mode 100644 index fe81ad7..0000000 --- a/roles/geerlingguy.postgresql/vars/Debian-NA.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -__postgresql_version: "11" -__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main" -__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin" -__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main" -__postgresql_daemon: "postgresql@{{ postgresql_version }}-main" -__postgresql_packages: - - postgresql - - postgresql-contrib - - libpq-dev diff --git a/roles/geerlingguy.postgresql/vars/Debian-buster/sid.yml b/roles/geerlingguy.postgresql/vars/Debian-buster/sid.yml deleted file mode 100644 index fe81ad7..0000000 --- a/roles/geerlingguy.postgresql/vars/Debian-buster/sid.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -__postgresql_version: "11" -__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main" -__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin" -__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main" -__postgresql_daemon: "postgresql@{{ postgresql_version }}-main" -__postgresql_packages: - - postgresql - - postgresql-contrib - - libpq-dev diff --git a/roles/geerlingguy.postgresql/vars/Debian-testing.yml b/roles/geerlingguy.postgresql/vars/Debian-testing.yml deleted file mode 100644 index fe81ad7..0000000 --- a/roles/geerlingguy.postgresql/vars/Debian-testing.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -__postgresql_version: "11" -__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main" -__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin" -__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main" -__postgresql_daemon: "postgresql@{{ postgresql_version }}-main" -__postgresql_packages: - - postgresql - - postgresql-contrib - - libpq-dev diff --git a/roles/geerlingguy.postgresql/vars/Fedora-29.yml b/roles/geerlingguy.postgresql/vars/Fedora-29.yml new file mode 100644 index 0000000..4e09932 --- /dev/null +++ b/roles/geerlingguy.postgresql/vars/Fedora-29.yml @@ -0,0 +1,12 @@ +--- +__postgresql_version: "10.5" +__postgresql_data_dir: "/var/lib/pgsql/data" +__postgresql_bin_path: "/usr/bin" +__postgresql_config_path: "/var/lib/pgsql/data" +__postgresql_daemon: postgresql +__postgresql_packages: + - postgresql + - postgresql-server + - postgresql-contrib + - postgresql-libs +postgresql_python_library: python2-psycopg2 diff --git a/roles/geerlingguy.postgresql/vars/Fedora-30.yml b/roles/geerlingguy.postgresql/vars/Fedora-30.yml new file mode 100644 index 0000000..d07f14b --- /dev/null +++ b/roles/geerlingguy.postgresql/vars/Fedora-30.yml @@ -0,0 +1,13 @@ +--- +__postgresql_version: "11.2" +__postgresql_data_dir: "/var/lib/pgsql/data" +__postgresql_bin_path: "/usr/bin" +__postgresql_config_path: "/var/lib/pgsql/data" +__postgresql_daemon: postgresql +__postgresql_packages: + - postgresql + - postgresql-server + - postgresql-contrib + - postgresql-libs +# Fedora 30 containers only have python3 by default +postgresql_python_library: python3-psycopg2 diff --git a/roles/geerlingguy.postgresql/vars/Ubuntu-14.yml b/roles/geerlingguy.postgresql/vars/Ubuntu-14.yml deleted file mode 100644 index bd6c174..0000000 --- a/roles/geerlingguy.postgresql/vars/Ubuntu-14.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -__postgresql_version: "9.3" -__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main" -__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin" -__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main" -__postgresql_daemon: postgresql -__postgresql_packages: - - postgresql - - postgresql-contrib - - libpq-dev diff --git a/roles/synapse/.gitignore b/roles/synapse/.gitignore new file mode 100644 index 0000000..508d994 --- /dev/null +++ b/roles/synapse/.gitignore @@ -0,0 +1 @@ +tests/roles/ diff --git a/roles/synapse/.gitlab-ci.yml b/roles/synapse/.gitlab-ci.yml new file mode 100644 index 0000000..5d3ed4a --- /dev/null +++ b/roles/synapse/.gitlab-ci.yml @@ -0,0 +1,24 @@ +--- +# -*- coding: utf-8 -*- + +before_script: + - apt-get update -qy + - apt-get install -y python-dev python-pip + - git submodule update --init + - pip install --upgrade ansible ansible-lint + - ansible --version + - ansible-lint --version + +stages: + - ansible-lint + - ansible-syntax-check + +ansible-lint-pip: + stage: ansible-lint + script: + - ansible-lint tests/test-pip.yml + +ansible-lint-docker: + stage: ansible-lint + script: + - ansible-lint tests/test-docker.yml diff --git a/roles/synapse/meta/.galaxy_install_info b/roles/synapse/meta/.galaxy_install_info new file mode 100644 index 0000000..735e9cf --- /dev/null +++ b/roles/synapse/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Tue Sep 24 09:13:48 2019 +version: '' diff --git a/roles/synapse/synapse b/roles/synapse/synapse new file mode 120000 index 0000000..17c01eb --- /dev/null +++ b/roles/synapse/synapse @@ -0,0 +1 @@ +synapse \ No newline at end of file diff --git a/roles/synapse/tasks/configure.yml b/roles/synapse/tasks/configure.yml new file mode 100644 index 0000000..eda8b82 --- /dev/null +++ b/roles/synapse/tasks/configure.yml @@ -0,0 +1,64 @@ +--- +- name: create user + user: + name: synapse + state: present + register: synapse_user + tags: + - pre_install + +- name: create directory + file: + path: "{{ matrix_synapse_base_path }}" + state: directory + owner: synapse + group: synapse + tags: + - pre_install + +- name: Create secrets directory + file: + path: "{{ matrix_synapse_secrets_path }}" + state: directory + owner: synapse + group: synapse + tags: + - pre_install + +- name: Generate secrets + include_tasks: generate_secret.yml + loop: + - file: "macaroon.key" + var: "macaroon_file" + - file: "registration.key" + var: "registration_shared_secret_file" + - file: "form.key" + var: "form_secret_file" + loop_control: + loop_var: secret + +- name: Create directory for media storage + file: + path: "{{ item }}" + state: directory + owner: synapse + group: synapse + loop: + - "{{ matrix_synapse_config.media_store_path }}" + - "{{ matrix_synapse_config.uploads_path }}" + - "{{ matrix_synapse_base_path }}/tls" + +- name: Deploy config + copy: + content: "{{ matrix_synapse_config | to_nice_yaml }}" + dest: "{{ matrix_synapse_base_path }}/homeserver.yaml" + owner: synapse + group: synapse + notify: + - "restart matrix-synapse" + +- name: Configure logging + import_tasks: logging.yml + +- name: Create certificates + include_tasks: crypto.yml diff --git a/roles/synapse/tasks/crypto.yml b/roles/synapse/tasks/crypto.yml new file mode 100644 index 0000000..6e4b946 --- /dev/null +++ b/roles/synapse/tasks/crypto.yml @@ -0,0 +1,32 @@ +--- +- name: Install signedjson + pip: + name: signedjson + +- name: Create signing key + matrix_signing_key: + path: "{{ matrix_synapse_config.signing_key_path }}" + notify: + - "restart matrix-synapse" + +- name: Write server's certificate and private key + block: + - name: create DH parameters + openssl_dhparam: + path: "{{ matrix_synapse_dh_path }}" + owner: synapse + - name: Write certificate + copy: + content: "{{ matrix_synapse_tls_cert }}" + dest: "{{ matrix_synapse_config.tls_certificate_path }}" + owner: synapse + group: synapse + mode: "0644" + - name: Write keyfile + copy: + content: "{{ matrix_synapse_tls_key }}" + dest: "{{ matrix_synapse_config.tls_private_key_path }}" + owner: synapse + group: synapse + mode: "0600" + when: not matrix_synapse_config.no_tls diff --git a/roles/synapse/tasks/deployment.yml b/roles/synapse/tasks/deployment.yml new file mode 100644 index 0000000..a58f217 --- /dev/null +++ b/roles/synapse/tasks/deployment.yml @@ -0,0 +1,78 @@ +--- +- name: install synapse with pip into virtualenv + block: + - name: Install dependencies + apt: + name: + - git + - build-essential + - python3-dev + - python-virtualenv + - python-pip + - python-setuptools + - sqlite3 + - libffi-dev + - libssl-dev + - libjpeg-dev + - libxslt1-dev + - libpq-dev + state: present + cache_valid_time: 1800 + tags: + - pre_install + + - name: Create virtualenv + pip: + name: + - pip + - setuptools + virtualenv: "{{ matrix_synapse_base_path }}/env" + virtualenv_python: python3 + extra_args: --upgrade + tags: + - pre_install + + - name: Clone synapse + git: + repo: https://github.com/matrix-org/synapse + dest: "{{ matrix_synapse_base_path }}/synapse" + accept_hostkey: yes + version: "{{ matrix_synapse_version }}" + register: clone_synapse + tags: + - pre_install + + - name: Install Synapse + pip: + name: "{{ matrix_synapse_base_path }}/synapse[matrix-synapse-ldap3,postgres,resources.consent,acme,url_preview]" + virtualenv: "{{ matrix_synapse_base_path }}/env" + when: clone_synapse.changed + tags: + - skip_ansible_lint # skip when clause + - pre_install + notify: restart matrix-synapse + when: matrix_synapse_deployment_method == "pip" + +- name: install synapse with docker + docker_container: + name: synapse + image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}" + ports: "{{ matrix_synapse_docker_ports }}" + labels: "{{ matrix_synapse_docker_labels }}" + restart_policy: unless-stopped + recreate: true + pull: true + entrypoint: "python" + command: + - "-m" + - "synapse.app.homeserver" + - "-c" + - "{{ matrix_synapse_base_path }}/homeserver.yaml" + user: "{{ synapse_user.uid }}:{{ synapse_user.group }}" + volumes: + - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" + - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" + - "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml" + - "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config" + - "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls" + when: matrix_synapse_deployment_method == "docker" diff --git a/roles/synapse/tasks/generate_secret.yml b/roles/synapse/tasks/generate_secret.yml new file mode 100644 index 0000000..8818a28 --- /dev/null +++ b/roles/synapse/tasks/generate_secret.yml @@ -0,0 +1,27 @@ +--- +- name: Set full file path + set_fact: + secret_file_path: "{{ matrix_synapse_secrets_path }}/{{ secret.file }}" + +- name: Check if secret exists + stat: + path: "{{ secret_file_path }}" + register: secret_file_stat + +- name: Generate random string + copy: + content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=42') }}" + dest: "{{ secret_file_path }}" + owner: synapse + group: synapse + mode: "0600" + when: + - not secret_file_stat.stat.exists +# TODO: This below is a dirty hack and should be properly revisited +- name: Retrieve secret + slurp: + src: "{{ secret_file_path }}" + register: secret_var + +- name: Set secret.var fact + set_fact: { "{{ secret.var }}": "{{ secret_var }}" } diff --git a/roles/synapse/tasks/logging.yml b/roles/synapse/tasks/logging.yml new file mode 100644 index 0000000..7406f3a --- /dev/null +++ b/roles/synapse/tasks/logging.yml @@ -0,0 +1,35 @@ +--- +- name: Logging config (systemd) + block: + - name: create logging folder + file: + name: "{{ matrix_synapse_log_dir }}" + state: directory + owner: synapse + group: synapse + + - name: copy syslog config + template: + src: syslog-synapse.conf.j2 + dest: /etc/rsyslog.d/matrix_synapse.conf + owner: root + notify: restart rsyslog + + - name: template logrotate config + template: + src: logrotate.j2 + dest: /etc/logrotate.d/matrix_synapse + owner: root + when: matrix_synapse_supervision_method == "systemd" + # TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on + +- name: Deploy log config + copy: + src: "log.config" + dest: "{{ matrix_synapse_base_path }}/log.config" + owner: synapse + group: synapse + notify: + - "restart matrix-synapse" + + diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml new file mode 100644 index 0000000..6608935 --- /dev/null +++ b/roles/synapse/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: check that sypervision and deployment are compatible + fail: + msg: "Either both or neither of deployment and supervision method should be docker." + when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or + (matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker") + +- name: configure synapse + import_tasks: configure.yml + +- name: deploy synapse + import_tasks: deployment.yml + +- name: configure service + import_tasks: systemd.yml + when: matrix_synapse_supervision_method == "systemd" diff --git a/roles/synapse/tasks/systemd.yml b/roles/synapse/tasks/systemd.yml new file mode 100644 index 0000000..19e8ea9 --- /dev/null +++ b/roles/synapse/tasks/systemd.yml @@ -0,0 +1,8 @@ +--- +- name: Deploy service file + template: + src: "matrix-synapse.service.j2" + dest: "/etc/systemd/system/matrix-synapse.service" + notify: + - "reload systemd" + - "restart matrix-synapse" diff --git a/roles/synapse/templates/logrotate.j2 b/roles/synapse/templates/logrotate.j2 new file mode 100644 index 0000000..c917561 --- /dev/null +++ b/roles/synapse/templates/logrotate.j2 @@ -0,0 +1,10 @@ +{{ ansible_managed | comment }} +/var/log/matrix_synapse/matrix_synapse.log { + daily + rotate {{ matrix_synapse_log_days_keep }} + compress + shred + postrotate + /usr/bin/pkill -HUP rsyslogd + endscript +} diff --git a/roles/synapse/templates/matrix-synapse.service.j2 b/roles/synapse/templates/matrix-synapse.service.j2 new file mode 100644 index 0000000..2e0adca --- /dev/null +++ b/roles/synapse/templates/matrix-synapse.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description="Matrix Synapse Server (synapse)" + +[Service] +Type=simple +WorkingDirectory={{ matrix_synapse_base_path }} +ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml +ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml +User=synapse +Group=synapse +Restart=always +StandardOutput=syslog +SyslogIdentifier=matrix_synapse + +[Install] +WantedBy=default.target diff --git a/roles/synapse/templates/syslog-synapse.conf.j2 b/roles/synapse/templates/syslog-synapse.conf.j2 new file mode 100644 index 0000000..d98c550 --- /dev/null +++ b/roles/synapse/templates/syslog-synapse.conf.j2 @@ -0,0 +1,2 @@ +if $programname == 'matrix_synapse' then {{ matrix_synapse_log_dir }}/matrix_synapse.log +if $programname == 'matrix_synapse' then ~ diff --git a/roles/synapse/tests/.gitignore b/roles/synapse/tests/.gitignore new file mode 100644 index 0000000..a058c8c --- /dev/null +++ b/roles/synapse/tests/.gitignore @@ -0,0 +1,2 @@ +.vagrant +*.retry diff --git a/roles/synapse/tests/Vagrantfile b/roles/synapse/tests/Vagrantfile new file mode 100644 index 0000000..132c5bd --- /dev/null +++ b/roles/synapse/tests/Vagrantfile @@ -0,0 +1,25 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.define "pip" do |pip| + pip.vm.box = "debian/stretch64" + + pip.vm.network "forwarded_port", guest: 8008, host: 8008 + pip.vm.network "forwarded_port", guest: 8448, host: 8448 + + pip.vm.provision "ansible" do |ansible| + ansible.playbook = "test-pip.yml" + end + end + config.vm.define "docker" do |docker| + docker.vm.box = "debian/stretch64" + + docker.vm.network "forwarded_port", guest: 8008, host: 8009 + docker.vm.network "forwarded_port", guest: 8448, host: 8449 + + docker.vm.provision "ansible" do |ansible| + ansible.playbook = "test-docker.yml" + end + end +end diff --git a/roles/synapse/tests/ansible.cfg b/roles/synapse/tests/ansible.cfg new file mode 100644 index 0000000..711a199 --- /dev/null +++ b/roles/synapse/tests/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +nocows=1 +roles_path=./roles:./../../ diff --git a/roles/synapse/tests/requirements.yml b/roles/synapse/tests/requirements.yml new file mode 100644 index 0000000..75f1808 --- /dev/null +++ b/roles/synapse/tests/requirements.yml @@ -0,0 +1,4 @@ +--- +- role: geerlingguy.pip +- role: geerlingguy.docker +- role: geerlingguy.postgresql diff --git a/roles/synapse/tests/test-docker.yml b/roles/synapse/tests/test-docker.yml new file mode 100644 index 0000000..5352b68 --- /dev/null +++ b/roles/synapse/tests/test-docker.yml @@ -0,0 +1,52 @@ +--- +- hosts: all + become: true + tasks: + - name: Flush handlers + meta: flush_handlers + + - name: Check if the api returns the correct version + uri: + url: "http://localhost:8008/_matrix/federation/v1/version" + return_content: true + register: api_version + until: api_version.status == 200 + retries: 10 + delay: 2 + + - name: Check returned api version + fail: > + Return value is not as expected {{ api_version }} + when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version + vars: + dbname: synapse + dbuser: synapse_user + dbpw: synapse_password + matrix_synapse_deployment_method: docker + matrix_synapse_supervision_method: docker + roles: + - role: geerlingguy.pip + pip_install_packages: + - name: docker + - role: geerlingguy.docker + - role: geerlingguy.postgresql + postgresql_databases: + - name: "{{ dbname }}" + postgresql_users: + - name: "{{ dbuser }}" + password: "{{ dbpw }}" + postgresql_global_config_options: + - option: listen_addresses + value: "172.17.0.1" + postgresql_hba_entries: + - { type: local, database: all, user: all, auth_method: trust } + - { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 } + - role: matrix-ansible-synapse + matrix_server_name: localhost + matrix_synapse_report_stats: false + matrix_synapse_pg_host: 172.17.0.1 + matrix_synapse_pg_user: "{{ dbuser }}" + matrix_synapse_pg_pass: "{{ dbpw }}" + matrix_synapse_pg_db: "{{ dbname }}" + matrix_synapse_extra_config: + no_tls: true diff --git a/roles/synapse/tests/test-pip.yml b/roles/synapse/tests/test-pip.yml new file mode 100644 index 0000000..156e607 --- /dev/null +++ b/roles/synapse/tests/test-pip.yml @@ -0,0 +1,44 @@ +--- +- hosts: all + become: true + vars: + dbname: synapse + dbuser: synapse_user + dbpw: synapse_password + tasks: + - name: Flush handlers + meta: flush_handlers + + - name: Check if the api returns the correct version + uri: + url: "http://localhost:8008/_matrix/federation/v1/version" + return_content: true + register: api_version + until: api_version.status == 200 + retries: 10 + delay: 2 + + - name: Check returned api version + fail: + msg: "Return value {{ api_version }} is not as expected {{ matrix_synapse_version }}" + when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version + roles: + - role: geerlingguy.pip + - role: geerlingguy.postgresql + postgresql_databases: + - name: "{{ dbname }}" + postgresql_users: + - name: "{{ dbuser }}" + password: "{{ dbpw }}" + postgresql_global_config_options: + - option: listen_addresses + value: "*" + - role: matrix-ansible-synapse + matrix_server_name: localhost + matrix_synapse_report_stats: false + matrix_synapse_pg_host: localhost + matrix_synapse_pg_user: "{{ dbuser }}" + matrix_synapse_pg_pass: "{{ dbpw }}" + matrix_synapse_pg_db: "{{ dbname }}" + matrix_synapse_extra_config: + no_tls: true diff --git a/roles/synapse/vars/main.yml b/roles/synapse/vars/main.yml new file mode 100644 index 0000000..f149c58 --- /dev/null +++ b/roles/synapse/vars/main.yml @@ -0,0 +1,141 @@ +--- +matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}" +matrix_synapse_base_config: + server_name: "{{ matrix_server_name }}" + tls_certificate_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.crt" + tls_private_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.key" + acme: + enabled: false + url: https://acme-v01.api.letsencrypt.org/directory + port: 80 + bind_addresses: ['::', '0.0.0.0'] + reprovision_threshold: 30 + no_tls: false + tls_fingerprints: [] + pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" + soft_file_limit: 0 + use_presence: true + listeners: + - port: 8448 + bind_addresses: + - '::' + - '0.0.0.0' + type: http + tls: true + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + - port: 8008 + tls: false + bind_addresses: + - '::' + - '0.0.0.0' + type: http + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + database: + name: "psycopg2" + args: + user: "{{ matrix_synapse_pg_user }}" + password: "{{ matrix_synapse_pg_pass }}" + database: "{{ matrix_synapse_pg_db }}" + host: "{{ matrix_synapse_pg_host }}" + cp_min: 5 + cp_max: 10 + log_config: "{{ matrix_synapse_base_path }}/log.config" + event_cache_size: "10K" + rc_messages_per_second: 0.2 + rc_message_burst_count: 10.0 + federation_rc_window_size: 1000 + federation_rc_sleep_limit: 10 + federation_rc_sleep_delay: 500 + federation_rc_reject_limit: 50 + federation_rc_concurrent: 3 + media_store_path: "{{ matrix_synapse_base_path }}/media_store" + uploads_path: "{{ matrix_synapse_base_path }}/uploads" + max_upload_size: "23M" + max_image_pixels: "32M" + dynamic_thumbnails: false + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 320 + height: 240 + method: scale + - width: 640 + height: 480 + method: scale + - width: 800 + height: 600 + method: scale + url_preview_enabled: true + url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + url_preview_url_blacklist: + - username: '*' + - netloc: 'google.com' + - netloc: '*.google.com' + - netloc: 'twitter.com' + - netloc: '*.twitter.com' + - netloc: 't.co' + - netloc: '*.t.co' + max_spider_size: "10M" + enable_registration: False + registration_shared_secret: > + "{{ registration_shared_secret_file.content | b64decode }}" + form_secret: "{{ form_secret_file.content | b64decode }}" + bcrypt_rounds: 12 + allow_guest_access: False + trusted_third_party_id_servers: + - matrix.org + - vector.im + autocreate_auto_join_rooms: true + enable_metrics: False + report_stats: "{{ matrix_synapse_report_stats }}" + room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + app_service_config_files: [] + track_appservice_user_ips: False + macaroon_secret_key: "{{ macaroon_file.content | b64decode }}" + expire_access_token: False + signing_key_path: "{{ matrix_synapse_signing_key_path }}" + old_signing_keys: {} + key_refresh_interval: "1d" # 1 Day. + # TODO: More servers should be added + perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + password_config: + enabled: true + push: + include_content: false + enable_group_creation: true + alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow