add requirements file,hosts.ini and README
This commit is contained in:
parent
b8296f4bee
commit
fbccf37df6
@ -1,32 +0,0 @@
|
|||||||
stages:
|
|
||||||
# - ansible-lint
|
|
||||||
- deploy_app
|
|
||||||
|
|
||||||
# ansible-lint:
|
|
||||||
# only:
|
|
||||||
# - master
|
|
||||||
# stage: ansible-lint
|
|
||||||
# image: yokogawa/ansible-lint
|
|
||||||
# allow_failure: true
|
|
||||||
# script:
|
|
||||||
|
|
||||||
# - 'ansible-lint setup.yml'
|
|
||||||
|
|
||||||
deploy_app:
|
|
||||||
only:
|
|
||||||
- master
|
|
||||||
stage: deploy_app
|
|
||||||
# TODO: use private ubuntu w/ ansible image to not reinstall ansible at every build
|
|
||||||
# not working:
|
|
||||||
# image: williamyeh/ansible:ubuntu18.04
|
|
||||||
# running systemd requires privileged container so instead of running services we run processes as daemons
|
|
||||||
# not working:
|
|
||||||
# image: jrei/systemd-ubuntu:latest
|
|
||||||
image: ubuntu:latest
|
|
||||||
script:
|
|
||||||
- apt-add-repository --yes --update ppa:ansible/ansible
|
|
||||||
# useless?
|
|
||||||
# - apt update
|
|
||||||
# sudo is used by some roles and not installed on docker
|
|
||||||
- apt install --yes sudo software-properties-common ansible
|
|
||||||
- "ansible-playbook -i gitlab-ci-inventory.ini setup.yml -vv --extra-var docker_enabled=true"
|
|
14
README.md
14
README.md
@ -1,3 +1,15 @@
|
|||||||
# Fuz Playbooks
|
# Fuz Playbooks
|
||||||
|
|
||||||
Playbooks for (relatively) easy sysadmin!
|
Playbooks for (relatively) easy sysadmin!
|
||||||
|
|
||||||
|
## With Vagrant
|
||||||
|
1. `vagrant up`
|
||||||
|
2. Install ansible
|
||||||
|
3. Install the roles: `ansible-galaxy install -r requirements.yml`
|
||||||
|
4. Launch the playbook: `ansible-playbook setup.yml`
|
||||||
|
|
||||||
|
## With a real server
|
||||||
|
1. Edit the file `hosts.ini`
|
||||||
|
2. Install ansible
|
||||||
|
3. Install the roles: `ansible-galaxy install -r requirements.yml`
|
||||||
|
4. Launch the playbook: `ansible-playbook setup.yml`
|
@ -1,3 +1,4 @@
|
|||||||
[defaults]
|
[defaults]
|
||||||
inventory = hosts.ini
|
inventory = hosts.ini
|
||||||
host_key_checking = False
|
host_key_checking = False
|
||||||
|
roles_path = roles/
|
@ -1,5 +0,0 @@
|
|||||||
docker-shared-runner ansible_connection=local become=true
|
|
||||||
[postgresql]
|
|
||||||
docker-shared-runner
|
|
||||||
[synapse]
|
|
||||||
docker-shared-runner
|
|
18
requirements.yml
Normal file
18
requirements.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# from galaxy
|
||||||
|
- src: geerlingguy.pip
|
||||||
|
- src: geerlingguy.postgresql
|
||||||
|
|
||||||
|
# from GitHub, overriding the name and specifying a specific tag
|
||||||
|
# - src: https://github.com/bennojoy/nginx
|
||||||
|
# version: master
|
||||||
|
# name: nginx_role
|
||||||
|
|
||||||
|
# from a webserver, where the role is packaged in a tar.gz
|
||||||
|
# - src: https://some.webserver.example.com/files/master.tar.gz
|
||||||
|
# name: http-role
|
||||||
|
|
||||||
|
|
||||||
|
# from GitLab or other git-based scm, using git+ssh
|
||||||
|
- src: https://gitlab.com/famedly/ansible/synapse
|
||||||
|
scm: git
|
||||||
|
# version: "0.1" # quoted, so YAML doesn't parse this as a floating-point value
|
@ -1,2 +1,2 @@
|
|||||||
install_date: Thu Sep 12 20:00:01 2019
|
install_date: Tue Sep 24 09:13:41 2019
|
||||||
version: 1.3.0
|
version: 1.3.0
|
||||||
|
@ -7,6 +7,7 @@ env:
|
|||||||
- ROLE_NAME: postgresql
|
- ROLE_NAME: postgresql
|
||||||
matrix:
|
matrix:
|
||||||
- MOLECULE_DISTRO: centos7
|
- MOLECULE_DISTRO: centos7
|
||||||
|
- MOLECULE_DISTRO: fedora30
|
||||||
- MOLECULE_DISTRO: ubuntu1804
|
- MOLECULE_DISTRO: ubuntu1804
|
||||||
- MOLECULE_DISTRO: ubuntu1604
|
- MOLECULE_DISTRO: ubuntu1604
|
||||||
- MOLECULE_DISTRO: debian10
|
- MOLECULE_DISTRO: debian10
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
install_date: Thu Sep 12 20:01:17 2019
|
install_date: Tue Sep 24 09:13:46 2019
|
||||||
version: 1.4.6
|
version: 2.0.0
|
||||||
|
@ -12,12 +12,20 @@ galaxy_info:
|
|||||||
versions:
|
versions:
|
||||||
- 6
|
- 6
|
||||||
- 7
|
- 7
|
||||||
|
- name: Fedora
|
||||||
|
versions:
|
||||||
|
- 29
|
||||||
|
- 30
|
||||||
- name: Ubuntu
|
- name: Ubuntu
|
||||||
versions:
|
versions:
|
||||||
- all
|
- xenial
|
||||||
|
- bionic
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- all
|
- wheezy
|
||||||
|
- jessie
|
||||||
|
- stretch
|
||||||
|
- buster
|
||||||
galaxy_tags:
|
galaxy_tags:
|
||||||
- database
|
- database
|
||||||
- postgresql
|
- postgresql
|
||||||
|
@ -10,6 +10,17 @@
|
|||||||
- name: jdoe
|
- name: jdoe
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
|
# The Fedora 30+ container images have only C.UTF-8 installed
|
||||||
|
- name: Set database locale if using Fedora 30+
|
||||||
|
set_fact:
|
||||||
|
postgresql_databases:
|
||||||
|
- name: example
|
||||||
|
lc_collate: 'C.UTF-8'
|
||||||
|
lc_ctype: 'C.UTF-8'
|
||||||
|
when:
|
||||||
|
- ansible_distribution == 'Fedora'
|
||||||
|
- ansible_distribution_major_version >= '30'
|
||||||
|
|
||||||
- name: Update apt cache.
|
- name: Update apt cache.
|
||||||
apt: update_cache=true cache_valid_time=600
|
apt: update_cache=true cache_valid_time=600
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
group: "{{ postgresql_group }}"
|
group: "{{ postgresql_group }}"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
notify: restart postgresql
|
notify: restart postgresql
|
||||||
when: postgresql_hba_entries
|
when: postgresql_hba_entries | length > 0
|
||||||
|
|
||||||
- name: Ensure PostgreSQL unix socket dirs exist.
|
- name: Ensure PostgreSQL unix socket dirs exist.
|
||||||
file:
|
file:
|
||||||
|
@ -17,9 +17,7 @@
|
|||||||
name: "{{ postgresql_daemon }}"
|
name: "{{ postgresql_daemon }}"
|
||||||
state: "{{ postgresql_service_state }}"
|
state: "{{ postgresql_service_state }}"
|
||||||
enabled: "{{ postgresql_service_enabled }}"
|
enabled: "{{ postgresql_service_enabled }}"
|
||||||
when: not docker_enabled
|
|
||||||
|
|
||||||
|
|
||||||
# Configure PostgreSQL.
|
# Configure PostgreSQL.
|
||||||
- import_tasks: databases.yml
|
|
||||||
- import_tasks: users.yml
|
- import_tasks: users.yml
|
||||||
|
- import_tasks: databases.yml
|
||||||
|
@ -1,12 +1,16 @@
|
|||||||
---
|
---
|
||||||
- name: Ensure PostgreSQL packages are installed.
|
- name: Ensure PostgreSQL packages are installed.
|
||||||
package:
|
yum:
|
||||||
name: "{{ postgresql_packages }}"
|
name: "{{ postgresql_packages }}"
|
||||||
state: present
|
state: present
|
||||||
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
|
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
|
||||||
|
# Don't let postgresql-contrib cause the /usr/bin/python symlink
|
||||||
|
# to be installed, which breaks later Ansible runs on Fedora 30,
|
||||||
|
# and affects system behavior in multiple ways.
|
||||||
|
exclude: python-unversioned-command
|
||||||
|
|
||||||
- name: Ensure PostgreSQL Python libraries are installed.
|
- name: Ensure PostgreSQL Python libraries are installed.
|
||||||
package:
|
yum:
|
||||||
name: "{{ postgresql_python_library }}"
|
name: "{{ postgresql_python_library }}"
|
||||||
state: present
|
state: present
|
||||||
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
|
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
|
||||||
|
@ -6,7 +6,13 @@
|
|||||||
|
|
||||||
- name: Include OS-specific variables (RedHat).
|
- name: Include OS-specific variables (RedHat).
|
||||||
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
||||||
when: ansible_os_family == 'RedHat'
|
when:
|
||||||
|
- ansible_os_family == 'RedHat'
|
||||||
|
- ansible_distribution != 'Fedora'
|
||||||
|
|
||||||
|
- name: Include OS-specific variables (Fedora).
|
||||||
|
include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
||||||
|
when: ansible_distribution == 'Fedora'
|
||||||
|
|
||||||
- name: Define postgresql_packages.
|
- name: Define postgresql_packages.
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
__postgresql_version: "11"
|
|
||||||
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
|
|
||||||
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
|
|
||||||
__postgresql_packages:
|
|
||||||
- postgresql
|
|
||||||
- postgresql-contrib
|
|
||||||
- libpq-dev
|
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
__postgresql_version: "11"
|
|
||||||
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
|
|
||||||
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
|
|
||||||
__postgresql_packages:
|
|
||||||
- postgresql
|
|
||||||
- postgresql-contrib
|
|
||||||
- libpq-dev
|
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
__postgresql_version: "11"
|
|
||||||
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
|
|
||||||
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
|
|
||||||
__postgresql_packages:
|
|
||||||
- postgresql
|
|
||||||
- postgresql-contrib
|
|
||||||
- libpq-dev
|
|
12
roles/geerlingguy.postgresql/vars/Fedora-29.yml
Normal file
12
roles/geerlingguy.postgresql/vars/Fedora-29.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
__postgresql_version: "10.5"
|
||||||
|
__postgresql_data_dir: "/var/lib/pgsql/data"
|
||||||
|
__postgresql_bin_path: "/usr/bin"
|
||||||
|
__postgresql_config_path: "/var/lib/pgsql/data"
|
||||||
|
__postgresql_daemon: postgresql
|
||||||
|
__postgresql_packages:
|
||||||
|
- postgresql
|
||||||
|
- postgresql-server
|
||||||
|
- postgresql-contrib
|
||||||
|
- postgresql-libs
|
||||||
|
postgresql_python_library: python2-psycopg2
|
13
roles/geerlingguy.postgresql/vars/Fedora-30.yml
Normal file
13
roles/geerlingguy.postgresql/vars/Fedora-30.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
__postgresql_version: "11.2"
|
||||||
|
__postgresql_data_dir: "/var/lib/pgsql/data"
|
||||||
|
__postgresql_bin_path: "/usr/bin"
|
||||||
|
__postgresql_config_path: "/var/lib/pgsql/data"
|
||||||
|
__postgresql_daemon: postgresql
|
||||||
|
__postgresql_packages:
|
||||||
|
- postgresql
|
||||||
|
- postgresql-server
|
||||||
|
- postgresql-contrib
|
||||||
|
- postgresql-libs
|
||||||
|
# Fedora 30 containers only have python3 by default
|
||||||
|
postgresql_python_library: python3-psycopg2
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
__postgresql_version: "9.3"
|
|
||||||
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
|
|
||||||
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
|
|
||||||
__postgresql_daemon: postgresql
|
|
||||||
__postgresql_packages:
|
|
||||||
- postgresql
|
|
||||||
- postgresql-contrib
|
|
||||||
- libpq-dev
|
|
1
roles/synapse/.gitignore
vendored
Normal file
1
roles/synapse/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
tests/roles/
|
24
roles/synapse/.gitlab-ci.yml
Normal file
24
roles/synapse/.gitlab-ci.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
before_script:
|
||||||
|
- apt-get update -qy
|
||||||
|
- apt-get install -y python-dev python-pip
|
||||||
|
- git submodule update --init
|
||||||
|
- pip install --upgrade ansible ansible-lint
|
||||||
|
- ansible --version
|
||||||
|
- ansible-lint --version
|
||||||
|
|
||||||
|
stages:
|
||||||
|
- ansible-lint
|
||||||
|
- ansible-syntax-check
|
||||||
|
|
||||||
|
ansible-lint-pip:
|
||||||
|
stage: ansible-lint
|
||||||
|
script:
|
||||||
|
- ansible-lint tests/test-pip.yml
|
||||||
|
|
||||||
|
ansible-lint-docker:
|
||||||
|
stage: ansible-lint
|
||||||
|
script:
|
||||||
|
- ansible-lint tests/test-docker.yml
|
2
roles/synapse/meta/.galaxy_install_info
Normal file
2
roles/synapse/meta/.galaxy_install_info
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
install_date: Tue Sep 24 09:13:48 2019
|
||||||
|
version: ''
|
1
roles/synapse/synapse
Symbolic link
1
roles/synapse/synapse
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
synapse
|
64
roles/synapse/tasks/configure.yml
Normal file
64
roles/synapse/tasks/configure.yml
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
---
|
||||||
|
- name: create user
|
||||||
|
user:
|
||||||
|
name: synapse
|
||||||
|
state: present
|
||||||
|
register: synapse_user
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: create directory
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_synapse_base_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: Create secrets directory
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_synapse_secrets_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: Generate secrets
|
||||||
|
include_tasks: generate_secret.yml
|
||||||
|
loop:
|
||||||
|
- file: "macaroon.key"
|
||||||
|
var: "macaroon_file"
|
||||||
|
- file: "registration.key"
|
||||||
|
var: "registration_shared_secret_file"
|
||||||
|
- file: "form.key"
|
||||||
|
var: "form_secret_file"
|
||||||
|
loop_control:
|
||||||
|
loop_var: secret
|
||||||
|
|
||||||
|
- name: Create directory for media storage
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
loop:
|
||||||
|
- "{{ matrix_synapse_config.media_store_path }}"
|
||||||
|
- "{{ matrix_synapse_config.uploads_path }}"
|
||||||
|
- "{{ matrix_synapse_base_path }}/tls"
|
||||||
|
|
||||||
|
- name: Deploy config
|
||||||
|
copy:
|
||||||
|
content: "{{ matrix_synapse_config | to_nice_yaml }}"
|
||||||
|
dest: "{{ matrix_synapse_base_path }}/homeserver.yaml"
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
notify:
|
||||||
|
- "restart matrix-synapse"
|
||||||
|
|
||||||
|
- name: Configure logging
|
||||||
|
import_tasks: logging.yml
|
||||||
|
|
||||||
|
- name: Create certificates
|
||||||
|
include_tasks: crypto.yml
|
32
roles/synapse/tasks/crypto.yml
Normal file
32
roles/synapse/tasks/crypto.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
- name: Install signedjson
|
||||||
|
pip:
|
||||||
|
name: signedjson
|
||||||
|
|
||||||
|
- name: Create signing key
|
||||||
|
matrix_signing_key:
|
||||||
|
path: "{{ matrix_synapse_config.signing_key_path }}"
|
||||||
|
notify:
|
||||||
|
- "restart matrix-synapse"
|
||||||
|
|
||||||
|
- name: Write server's certificate and private key
|
||||||
|
block:
|
||||||
|
- name: create DH parameters
|
||||||
|
openssl_dhparam:
|
||||||
|
path: "{{ matrix_synapse_dh_path }}"
|
||||||
|
owner: synapse
|
||||||
|
- name: Write certificate
|
||||||
|
copy:
|
||||||
|
content: "{{ matrix_synapse_tls_cert }}"
|
||||||
|
dest: "{{ matrix_synapse_config.tls_certificate_path }}"
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
mode: "0644"
|
||||||
|
- name: Write keyfile
|
||||||
|
copy:
|
||||||
|
content: "{{ matrix_synapse_tls_key }}"
|
||||||
|
dest: "{{ matrix_synapse_config.tls_private_key_path }}"
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
mode: "0600"
|
||||||
|
when: not matrix_synapse_config.no_tls
|
78
roles/synapse/tasks/deployment.yml
Normal file
78
roles/synapse/tasks/deployment.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
---
|
||||||
|
- name: install synapse with pip into virtualenv
|
||||||
|
block:
|
||||||
|
- name: Install dependencies
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- git
|
||||||
|
- build-essential
|
||||||
|
- python3-dev
|
||||||
|
- python-virtualenv
|
||||||
|
- python-pip
|
||||||
|
- python-setuptools
|
||||||
|
- sqlite3
|
||||||
|
- libffi-dev
|
||||||
|
- libssl-dev
|
||||||
|
- libjpeg-dev
|
||||||
|
- libxslt1-dev
|
||||||
|
- libpq-dev
|
||||||
|
state: present
|
||||||
|
cache_valid_time: 1800
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: Create virtualenv
|
||||||
|
pip:
|
||||||
|
name:
|
||||||
|
- pip
|
||||||
|
- setuptools
|
||||||
|
virtualenv: "{{ matrix_synapse_base_path }}/env"
|
||||||
|
virtualenv_python: python3
|
||||||
|
extra_args: --upgrade
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: Clone synapse
|
||||||
|
git:
|
||||||
|
repo: https://github.com/matrix-org/synapse
|
||||||
|
dest: "{{ matrix_synapse_base_path }}/synapse"
|
||||||
|
accept_hostkey: yes
|
||||||
|
version: "{{ matrix_synapse_version }}"
|
||||||
|
register: clone_synapse
|
||||||
|
tags:
|
||||||
|
- pre_install
|
||||||
|
|
||||||
|
- name: Install Synapse
|
||||||
|
pip:
|
||||||
|
name: "{{ matrix_synapse_base_path }}/synapse[matrix-synapse-ldap3,postgres,resources.consent,acme,url_preview]"
|
||||||
|
virtualenv: "{{ matrix_synapse_base_path }}/env"
|
||||||
|
when: clone_synapse.changed
|
||||||
|
tags:
|
||||||
|
- skip_ansible_lint # skip when clause
|
||||||
|
- pre_install
|
||||||
|
notify: restart matrix-synapse
|
||||||
|
when: matrix_synapse_deployment_method == "pip"
|
||||||
|
|
||||||
|
- name: install synapse with docker
|
||||||
|
docker_container:
|
||||||
|
name: synapse
|
||||||
|
image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}"
|
||||||
|
ports: "{{ matrix_synapse_docker_ports }}"
|
||||||
|
labels: "{{ matrix_synapse_docker_labels }}"
|
||||||
|
restart_policy: unless-stopped
|
||||||
|
recreate: true
|
||||||
|
pull: true
|
||||||
|
entrypoint: "python"
|
||||||
|
command:
|
||||||
|
- "-m"
|
||||||
|
- "synapse.app.homeserver"
|
||||||
|
- "-c"
|
||||||
|
- "{{ matrix_synapse_base_path }}/homeserver.yaml"
|
||||||
|
user: "{{ synapse_user.uid }}:{{ synapse_user.group }}"
|
||||||
|
volumes:
|
||||||
|
- "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}"
|
||||||
|
- "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}"
|
||||||
|
- "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml"
|
||||||
|
- "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config"
|
||||||
|
- "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls"
|
||||||
|
when: matrix_synapse_deployment_method == "docker"
|
27
roles/synapse/tasks/generate_secret.yml
Normal file
27
roles/synapse/tasks/generate_secret.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
- name: Set full file path
|
||||||
|
set_fact:
|
||||||
|
secret_file_path: "{{ matrix_synapse_secrets_path }}/{{ secret.file }}"
|
||||||
|
|
||||||
|
- name: Check if secret exists
|
||||||
|
stat:
|
||||||
|
path: "{{ secret_file_path }}"
|
||||||
|
register: secret_file_stat
|
||||||
|
|
||||||
|
- name: Generate random string
|
||||||
|
copy:
|
||||||
|
content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=42') }}"
|
||||||
|
dest: "{{ secret_file_path }}"
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
mode: "0600"
|
||||||
|
when:
|
||||||
|
- not secret_file_stat.stat.exists
|
||||||
|
# TODO: This below is a dirty hack and should be properly revisited
|
||||||
|
- name: Retrieve secret
|
||||||
|
slurp:
|
||||||
|
src: "{{ secret_file_path }}"
|
||||||
|
register: secret_var
|
||||||
|
|
||||||
|
- name: Set secret.var fact
|
||||||
|
set_fact: { "{{ secret.var }}": "{{ secret_var }}" }
|
35
roles/synapse/tasks/logging.yml
Normal file
35
roles/synapse/tasks/logging.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
- name: Logging config (systemd)
|
||||||
|
block:
|
||||||
|
- name: create logging folder
|
||||||
|
file:
|
||||||
|
name: "{{ matrix_synapse_log_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
|
||||||
|
- name: copy syslog config
|
||||||
|
template:
|
||||||
|
src: syslog-synapse.conf.j2
|
||||||
|
dest: /etc/rsyslog.d/matrix_synapse.conf
|
||||||
|
owner: root
|
||||||
|
notify: restart rsyslog
|
||||||
|
|
||||||
|
- name: template logrotate config
|
||||||
|
template:
|
||||||
|
src: logrotate.j2
|
||||||
|
dest: /etc/logrotate.d/matrix_synapse
|
||||||
|
owner: root
|
||||||
|
when: matrix_synapse_supervision_method == "systemd"
|
||||||
|
# TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on
|
||||||
|
|
||||||
|
- name: Deploy log config
|
||||||
|
copy:
|
||||||
|
src: "log.config"
|
||||||
|
dest: "{{ matrix_synapse_base_path }}/log.config"
|
||||||
|
owner: synapse
|
||||||
|
group: synapse
|
||||||
|
notify:
|
||||||
|
- "restart matrix-synapse"
|
||||||
|
|
||||||
|
|
16
roles/synapse/tasks/main.yml
Normal file
16
roles/synapse/tasks/main.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
- name: check that sypervision and deployment are compatible
|
||||||
|
fail:
|
||||||
|
msg: "Either both or neither of deployment and supervision method should be docker."
|
||||||
|
when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or
|
||||||
|
(matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker")
|
||||||
|
|
||||||
|
- name: configure synapse
|
||||||
|
import_tasks: configure.yml
|
||||||
|
|
||||||
|
- name: deploy synapse
|
||||||
|
import_tasks: deployment.yml
|
||||||
|
|
||||||
|
- name: configure service
|
||||||
|
import_tasks: systemd.yml
|
||||||
|
when: matrix_synapse_supervision_method == "systemd"
|
8
roles/synapse/tasks/systemd.yml
Normal file
8
roles/synapse/tasks/systemd.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
- name: Deploy service file
|
||||||
|
template:
|
||||||
|
src: "matrix-synapse.service.j2"
|
||||||
|
dest: "/etc/systemd/system/matrix-synapse.service"
|
||||||
|
notify:
|
||||||
|
- "reload systemd"
|
||||||
|
- "restart matrix-synapse"
|
10
roles/synapse/templates/logrotate.j2
Normal file
10
roles/synapse/templates/logrotate.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{{ ansible_managed | comment }}
|
||||||
|
/var/log/matrix_synapse/matrix_synapse.log {
|
||||||
|
daily
|
||||||
|
rotate {{ matrix_synapse_log_days_keep }}
|
||||||
|
compress
|
||||||
|
shred
|
||||||
|
postrotate
|
||||||
|
/usr/bin/pkill -HUP rsyslogd
|
||||||
|
endscript
|
||||||
|
}
|
16
roles/synapse/templates/matrix-synapse.service.j2
Normal file
16
roles/synapse/templates/matrix-synapse.service.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[Unit]
|
||||||
|
Description="Matrix Synapse Server (synapse)"
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
WorkingDirectory={{ matrix_synapse_base_path }}
|
||||||
|
ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml
|
||||||
|
ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml
|
||||||
|
User=synapse
|
||||||
|
Group=synapse
|
||||||
|
Restart=always
|
||||||
|
StandardOutput=syslog
|
||||||
|
SyslogIdentifier=matrix_synapse
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
2
roles/synapse/templates/syslog-synapse.conf.j2
Normal file
2
roles/synapse/templates/syslog-synapse.conf.j2
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
if $programname == 'matrix_synapse' then {{ matrix_synapse_log_dir }}/matrix_synapse.log
|
||||||
|
if $programname == 'matrix_synapse' then ~
|
2
roles/synapse/tests/.gitignore
vendored
Normal file
2
roles/synapse/tests/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
.vagrant
|
||||||
|
*.retry
|
25
roles/synapse/tests/Vagrantfile
vendored
Normal file
25
roles/synapse/tests/Vagrantfile
vendored
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# -*- mode: ruby -*-
|
||||||
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
|
Vagrant.configure("2") do |config|
|
||||||
|
config.vm.define "pip" do |pip|
|
||||||
|
pip.vm.box = "debian/stretch64"
|
||||||
|
|
||||||
|
pip.vm.network "forwarded_port", guest: 8008, host: 8008
|
||||||
|
pip.vm.network "forwarded_port", guest: 8448, host: 8448
|
||||||
|
|
||||||
|
pip.vm.provision "ansible" do |ansible|
|
||||||
|
ansible.playbook = "test-pip.yml"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
config.vm.define "docker" do |docker|
|
||||||
|
docker.vm.box = "debian/stretch64"
|
||||||
|
|
||||||
|
docker.vm.network "forwarded_port", guest: 8008, host: 8009
|
||||||
|
docker.vm.network "forwarded_port", guest: 8448, host: 8449
|
||||||
|
|
||||||
|
docker.vm.provision "ansible" do |ansible|
|
||||||
|
ansible.playbook = "test-docker.yml"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
3
roles/synapse/tests/ansible.cfg
Normal file
3
roles/synapse/tests/ansible.cfg
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[defaults]
|
||||||
|
nocows=1
|
||||||
|
roles_path=./roles:./../../
|
4
roles/synapse/tests/requirements.yml
Normal file
4
roles/synapse/tests/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- role: geerlingguy.pip
|
||||||
|
- role: geerlingguy.docker
|
||||||
|
- role: geerlingguy.postgresql
|
52
roles/synapse/tests/test-docker.yml
Normal file
52
roles/synapse/tests/test-docker.yml
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
become: true
|
||||||
|
tasks:
|
||||||
|
- name: Flush handlers
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Check if the api returns the correct version
|
||||||
|
uri:
|
||||||
|
url: "http://localhost:8008/_matrix/federation/v1/version"
|
||||||
|
return_content: true
|
||||||
|
register: api_version
|
||||||
|
until: api_version.status == 200
|
||||||
|
retries: 10
|
||||||
|
delay: 2
|
||||||
|
|
||||||
|
- name: Check returned api version
|
||||||
|
fail: >
|
||||||
|
Return value is not as expected {{ api_version }}
|
||||||
|
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
|
||||||
|
vars:
|
||||||
|
dbname: synapse
|
||||||
|
dbuser: synapse_user
|
||||||
|
dbpw: synapse_password
|
||||||
|
matrix_synapse_deployment_method: docker
|
||||||
|
matrix_synapse_supervision_method: docker
|
||||||
|
roles:
|
||||||
|
- role: geerlingguy.pip
|
||||||
|
pip_install_packages:
|
||||||
|
- name: docker
|
||||||
|
- role: geerlingguy.docker
|
||||||
|
- role: geerlingguy.postgresql
|
||||||
|
postgresql_databases:
|
||||||
|
- name: "{{ dbname }}"
|
||||||
|
postgresql_users:
|
||||||
|
- name: "{{ dbuser }}"
|
||||||
|
password: "{{ dbpw }}"
|
||||||
|
postgresql_global_config_options:
|
||||||
|
- option: listen_addresses
|
||||||
|
value: "172.17.0.1"
|
||||||
|
postgresql_hba_entries:
|
||||||
|
- { type: local, database: all, user: all, auth_method: trust }
|
||||||
|
- { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 }
|
||||||
|
- role: matrix-ansible-synapse
|
||||||
|
matrix_server_name: localhost
|
||||||
|
matrix_synapse_report_stats: false
|
||||||
|
matrix_synapse_pg_host: 172.17.0.1
|
||||||
|
matrix_synapse_pg_user: "{{ dbuser }}"
|
||||||
|
matrix_synapse_pg_pass: "{{ dbpw }}"
|
||||||
|
matrix_synapse_pg_db: "{{ dbname }}"
|
||||||
|
matrix_synapse_extra_config:
|
||||||
|
no_tls: true
|
44
roles/synapse/tests/test-pip.yml
Normal file
44
roles/synapse/tests/test-pip.yml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
become: true
|
||||||
|
vars:
|
||||||
|
dbname: synapse
|
||||||
|
dbuser: synapse_user
|
||||||
|
dbpw: synapse_password
|
||||||
|
tasks:
|
||||||
|
- name: Flush handlers
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Check if the api returns the correct version
|
||||||
|
uri:
|
||||||
|
url: "http://localhost:8008/_matrix/federation/v1/version"
|
||||||
|
return_content: true
|
||||||
|
register: api_version
|
||||||
|
until: api_version.status == 200
|
||||||
|
retries: 10
|
||||||
|
delay: 2
|
||||||
|
|
||||||
|
- name: Check returned api version
|
||||||
|
fail:
|
||||||
|
msg: "Return value {{ api_version }} is not as expected {{ matrix_synapse_version }}"
|
||||||
|
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
|
||||||
|
roles:
|
||||||
|
- role: geerlingguy.pip
|
||||||
|
- role: geerlingguy.postgresql
|
||||||
|
postgresql_databases:
|
||||||
|
- name: "{{ dbname }}"
|
||||||
|
postgresql_users:
|
||||||
|
- name: "{{ dbuser }}"
|
||||||
|
password: "{{ dbpw }}"
|
||||||
|
postgresql_global_config_options:
|
||||||
|
- option: listen_addresses
|
||||||
|
value: "*"
|
||||||
|
- role: matrix-ansible-synapse
|
||||||
|
matrix_server_name: localhost
|
||||||
|
matrix_synapse_report_stats: false
|
||||||
|
matrix_synapse_pg_host: localhost
|
||||||
|
matrix_synapse_pg_user: "{{ dbuser }}"
|
||||||
|
matrix_synapse_pg_pass: "{{ dbpw }}"
|
||||||
|
matrix_synapse_pg_db: "{{ dbname }}"
|
||||||
|
matrix_synapse_extra_config:
|
||||||
|
no_tls: true
|
141
roles/synapse/vars/main.yml
Normal file
141
roles/synapse/vars/main.yml
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
---
|
||||||
|
matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}"
|
||||||
|
matrix_synapse_base_config:
|
||||||
|
server_name: "{{ matrix_server_name }}"
|
||||||
|
tls_certificate_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.crt"
|
||||||
|
tls_private_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.key"
|
||||||
|
acme:
|
||||||
|
enabled: false
|
||||||
|
url: https://acme-v01.api.letsencrypt.org/directory
|
||||||
|
port: 80
|
||||||
|
bind_addresses: ['::', '0.0.0.0']
|
||||||
|
reprovision_threshold: 30
|
||||||
|
no_tls: false
|
||||||
|
tls_fingerprints: []
|
||||||
|
pid_file: "{{ matrix_synapse_base_path }}/synapse.pid"
|
||||||
|
soft_file_limit: 0
|
||||||
|
use_presence: true
|
||||||
|
listeners:
|
||||||
|
- port: 8448
|
||||||
|
bind_addresses:
|
||||||
|
- '::'
|
||||||
|
- '0.0.0.0'
|
||||||
|
type: http
|
||||||
|
tls: true
|
||||||
|
x_forwarded: false
|
||||||
|
resources:
|
||||||
|
- names: [client]
|
||||||
|
compress: true
|
||||||
|
- names: [federation]
|
||||||
|
compress: false
|
||||||
|
- port: 8008
|
||||||
|
tls: false
|
||||||
|
bind_addresses:
|
||||||
|
- '::'
|
||||||
|
- '0.0.0.0'
|
||||||
|
type: http
|
||||||
|
x_forwarded: false
|
||||||
|
resources:
|
||||||
|
- names: [client]
|
||||||
|
compress: true
|
||||||
|
- names: [federation]
|
||||||
|
compress: false
|
||||||
|
database:
|
||||||
|
name: "psycopg2"
|
||||||
|
args:
|
||||||
|
user: "{{ matrix_synapse_pg_user }}"
|
||||||
|
password: "{{ matrix_synapse_pg_pass }}"
|
||||||
|
database: "{{ matrix_synapse_pg_db }}"
|
||||||
|
host: "{{ matrix_synapse_pg_host }}"
|
||||||
|
cp_min: 5
|
||||||
|
cp_max: 10
|
||||||
|
log_config: "{{ matrix_synapse_base_path }}/log.config"
|
||||||
|
event_cache_size: "10K"
|
||||||
|
rc_messages_per_second: 0.2
|
||||||
|
rc_message_burst_count: 10.0
|
||||||
|
federation_rc_window_size: 1000
|
||||||
|
federation_rc_sleep_limit: 10
|
||||||
|
federation_rc_sleep_delay: 500
|
||||||
|
federation_rc_reject_limit: 50
|
||||||
|
federation_rc_concurrent: 3
|
||||||
|
media_store_path: "{{ matrix_synapse_base_path }}/media_store"
|
||||||
|
uploads_path: "{{ matrix_synapse_base_path }}/uploads"
|
||||||
|
max_upload_size: "23M"
|
||||||
|
max_image_pixels: "32M"
|
||||||
|
dynamic_thumbnails: false
|
||||||
|
thumbnail_sizes:
|
||||||
|
- width: 32
|
||||||
|
height: 32
|
||||||
|
method: crop
|
||||||
|
- width: 96
|
||||||
|
height: 96
|
||||||
|
method: crop
|
||||||
|
- width: 320
|
||||||
|
height: 240
|
||||||
|
method: scale
|
||||||
|
- width: 640
|
||||||
|
height: 480
|
||||||
|
method: scale
|
||||||
|
- width: 800
|
||||||
|
height: 600
|
||||||
|
method: scale
|
||||||
|
url_preview_enabled: true
|
||||||
|
url_preview_ip_range_blacklist:
|
||||||
|
- '127.0.0.0/8'
|
||||||
|
- '10.0.0.0/8'
|
||||||
|
- '172.16.0.0/12'
|
||||||
|
- '192.168.0.0/16'
|
||||||
|
- '100.64.0.0/10'
|
||||||
|
- '169.254.0.0/16'
|
||||||
|
- '::1/128'
|
||||||
|
- 'fe80::/64'
|
||||||
|
- 'fc00::/7'
|
||||||
|
url_preview_url_blacklist:
|
||||||
|
- username: '*'
|
||||||
|
- netloc: 'google.com'
|
||||||
|
- netloc: '*.google.com'
|
||||||
|
- netloc: 'twitter.com'
|
||||||
|
- netloc: '*.twitter.com'
|
||||||
|
- netloc: 't.co'
|
||||||
|
- netloc: '*.t.co'
|
||||||
|
max_spider_size: "10M"
|
||||||
|
enable_registration: False
|
||||||
|
registration_shared_secret: >
|
||||||
|
"{{ registration_shared_secret_file.content | b64decode }}"
|
||||||
|
form_secret: "{{ form_secret_file.content | b64decode }}"
|
||||||
|
bcrypt_rounds: 12
|
||||||
|
allow_guest_access: False
|
||||||
|
trusted_third_party_id_servers:
|
||||||
|
- matrix.org
|
||||||
|
- vector.im
|
||||||
|
autocreate_auto_join_rooms: true
|
||||||
|
enable_metrics: False
|
||||||
|
report_stats: "{{ matrix_synapse_report_stats }}"
|
||||||
|
room_invite_state_types:
|
||||||
|
- "m.room.join_rules"
|
||||||
|
- "m.room.canonical_alias"
|
||||||
|
- "m.room.avatar"
|
||||||
|
- "m.room.name"
|
||||||
|
app_service_config_files: []
|
||||||
|
track_appservice_user_ips: False
|
||||||
|
macaroon_secret_key: "{{ macaroon_file.content | b64decode }}"
|
||||||
|
expire_access_token: False
|
||||||
|
signing_key_path: "{{ matrix_synapse_signing_key_path }}"
|
||||||
|
old_signing_keys: {}
|
||||||
|
key_refresh_interval: "1d" # 1 Day.
|
||||||
|
# TODO: More servers should be added
|
||||||
|
perspectives:
|
||||||
|
servers:
|
||||||
|
"matrix.org":
|
||||||
|
verify_keys:
|
||||||
|
"ed25519:auto":
|
||||||
|
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
|
||||||
|
password_config:
|
||||||
|
enabled: true
|
||||||
|
push:
|
||||||
|
include_content: false
|
||||||
|
enable_group_creation: true
|
||||||
|
alias_creation_rules:
|
||||||
|
- user_id: "*"
|
||||||
|
alias: "*"
|
||||||
|
action: allow
|
Loading…
Reference in New Issue
Block a user