add requirements file,hosts.ini and README

This commit is contained in:
J. Doe 2019-09-24 11:19:03 +02:00
parent b8296f4bee
commit fbccf37df6
41 changed files with 685 additions and 91 deletions

View File

@ -1,32 +0,0 @@
stages:
# - ansible-lint
- deploy_app
# ansible-lint:
# only:
# - master
# stage: ansible-lint
# image: yokogawa/ansible-lint
# allow_failure: true
# script:
# - 'ansible-lint setup.yml'
deploy_app:
only:
- master
stage: deploy_app
# TODO: use private ubuntu w/ ansible image to not reinstall ansible at every build
# not working:
# image: williamyeh/ansible:ubuntu18.04
# running systemd requires privileged container so instead of running services we run processes as daemons
# not working:
# image: jrei/systemd-ubuntu:latest
image: ubuntu:latest
script:
- apt-add-repository --yes --update ppa:ansible/ansible
# useless?
# - apt update
# sudo is used by some roles and not installed on docker
- apt install --yes sudo software-properties-common ansible
- "ansible-playbook -i gitlab-ci-inventory.ini setup.yml -vv --extra-var docker_enabled=true"

View File

@ -1,3 +1,15 @@
# Fuz Playbooks # Fuz Playbooks
Playbooks for (relatively) easy sysadmin! Playbooks for (relatively) easy sysadmin!
## With Vagrant
1. `vagrant up`
2. Install ansible
3. Install the roles: `ansible-galaxy install -r requirements.yml`
4. Launch the playbook: `ansible-playbook setup.yml`
## With a real server
1. Edit the file `hosts.ini`
2. Install ansible
3. Install the roles: `ansible-galaxy install -r requirements.yml`
4. Launch the playbook: `ansible-playbook setup.yml`

View File

@ -1,3 +1,4 @@
[defaults] [defaults]
inventory = hosts.ini inventory = hosts.ini
host_key_checking = False host_key_checking = False
roles_path = roles/

View File

@ -1,5 +0,0 @@
docker-shared-runner ansible_connection=local become=true
[postgresql]
docker-shared-runner
[synapse]
docker-shared-runner

18
requirements.yml Normal file
View File

@ -0,0 +1,18 @@
# from galaxy
- src: geerlingguy.pip
- src: geerlingguy.postgresql
# from GitHub, overriding the name and specifying a specific tag
# - src: https://github.com/bennojoy/nginx
# version: master
# name: nginx_role
# from a webserver, where the role is packaged in a tar.gz
# - src: https://some.webserver.example.com/files/master.tar.gz
# name: http-role
# from GitLab or other git-based scm, using git+ssh
- src: https://gitlab.com/famedly/ansible/synapse
scm: git
# version: "0.1" # quoted, so YAML doesn't parse this as a floating-point value

View File

@ -1,2 +1,2 @@
install_date: Thu Sep 12 20:00:01 2019 install_date: Tue Sep 24 09:13:41 2019
version: 1.3.0 version: 1.3.0

View File

@ -7,6 +7,7 @@ env:
- ROLE_NAME: postgresql - ROLE_NAME: postgresql
matrix: matrix:
- MOLECULE_DISTRO: centos7 - MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: fedora30
- MOLECULE_DISTRO: ubuntu1804 - MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604 - MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10 - MOLECULE_DISTRO: debian10

View File

@ -1,2 +1,2 @@
install_date: Thu Sep 12 20:01:17 2019 install_date: Tue Sep 24 09:13:46 2019
version: 1.4.6 version: 2.0.0

View File

@ -12,12 +12,20 @@ galaxy_info:
versions: versions:
- 6 - 6
- 7 - 7
- name: Fedora
versions:
- 29
- 30
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - xenial
- bionic
- name: Debian - name: Debian
versions: versions:
- all - wheezy
- jessie
- stretch
- buster
galaxy_tags: galaxy_tags:
- database - database
- postgresql - postgresql

View File

@ -10,6 +10,17 @@
- name: jdoe - name: jdoe
pre_tasks: pre_tasks:
# The Fedora 30+ container images have only C.UTF-8 installed
- name: Set database locale if using Fedora 30+
set_fact:
postgresql_databases:
- name: example
lc_collate: 'C.UTF-8'
lc_ctype: 'C.UTF-8'
when:
- ansible_distribution == 'Fedora'
- ansible_distribution_major_version >= '30'
- name: Update apt cache. - name: Update apt cache.
apt: update_cache=true cache_valid_time=600 apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'

View File

@ -16,7 +16,7 @@
group: "{{ postgresql_group }}" group: "{{ postgresql_group }}"
mode: 0600 mode: 0600
notify: restart postgresql notify: restart postgresql
when: postgresql_hba_entries when: postgresql_hba_entries | length > 0
- name: Ensure PostgreSQL unix socket dirs exist. - name: Ensure PostgreSQL unix socket dirs exist.
file: file:

View File

@ -17,9 +17,7 @@
name: "{{ postgresql_daemon }}" name: "{{ postgresql_daemon }}"
state: "{{ postgresql_service_state }}" state: "{{ postgresql_service_state }}"
enabled: "{{ postgresql_service_enabled }}" enabled: "{{ postgresql_service_enabled }}"
when: not docker_enabled
# Configure PostgreSQL. # Configure PostgreSQL.
- import_tasks: databases.yml
- import_tasks: users.yml - import_tasks: users.yml
- import_tasks: databases.yml

View File

@ -1,12 +1,16 @@
--- ---
- name: Ensure PostgreSQL packages are installed. - name: Ensure PostgreSQL packages are installed.
package: yum:
name: "{{ postgresql_packages }}" name: "{{ postgresql_packages }}"
state: present state: present
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}" enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
# Don't let postgresql-contrib cause the /usr/bin/python symlink
# to be installed, which breaks later Ansible runs on Fedora 30,
# and affects system behavior in multiple ways.
exclude: python-unversioned-command
- name: Ensure PostgreSQL Python libraries are installed. - name: Ensure PostgreSQL Python libraries are installed.
package: yum:
name: "{{ postgresql_python_library }}" name: "{{ postgresql_python_library }}"
state: present state: present
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}" enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"

View File

@ -6,7 +6,13 @@
- name: Include OS-specific variables (RedHat). - name: Include OS-specific variables (RedHat).
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml" include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_os_family == 'RedHat' when:
- ansible_os_family == 'RedHat'
- ansible_distribution != 'Fedora'
- name: Include OS-specific variables (Fedora).
include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_distribution == 'Fedora'
- name: Define postgresql_packages. - name: Define postgresql_packages.
set_fact: set_fact:

View File

@ -1,10 +0,0 @@
---
__postgresql_version: "11"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -1,10 +0,0 @@
---
__postgresql_version: "11"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -1,10 +0,0 @@
---
__postgresql_version: "11"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,12 @@
---
__postgresql_version: "10.5"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs
postgresql_python_library: python2-psycopg2

View File

@ -0,0 +1,13 @@
---
__postgresql_version: "11.2"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs
# Fedora 30 containers only have python3 by default
postgresql_python_library: python3-psycopg2

View File

@ -1,10 +0,0 @@
---
__postgresql_version: "9.3"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

1
roles/synapse/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
tests/roles/

View File

@ -0,0 +1,24 @@
---
# -*- coding: utf-8 -*-
before_script:
- apt-get update -qy
- apt-get install -y python-dev python-pip
- git submodule update --init
- pip install --upgrade ansible ansible-lint
- ansible --version
- ansible-lint --version
stages:
- ansible-lint
- ansible-syntax-check
ansible-lint-pip:
stage: ansible-lint
script:
- ansible-lint tests/test-pip.yml
ansible-lint-docker:
stage: ansible-lint
script:
- ansible-lint tests/test-docker.yml

View File

@ -0,0 +1,2 @@
install_date: Tue Sep 24 09:13:48 2019
version: ''

1
roles/synapse/synapse Symbolic link
View File

@ -0,0 +1 @@
synapse

View File

@ -0,0 +1,64 @@
---
- name: create user
user:
name: synapse
state: present
register: synapse_user
tags:
- pre_install
- name: create directory
file:
path: "{{ matrix_synapse_base_path }}"
state: directory
owner: synapse
group: synapse
tags:
- pre_install
- name: Create secrets directory
file:
path: "{{ matrix_synapse_secrets_path }}"
state: directory
owner: synapse
group: synapse
tags:
- pre_install
- name: Generate secrets
include_tasks: generate_secret.yml
loop:
- file: "macaroon.key"
var: "macaroon_file"
- file: "registration.key"
var: "registration_shared_secret_file"
- file: "form.key"
var: "form_secret_file"
loop_control:
loop_var: secret
- name: Create directory for media storage
file:
path: "{{ item }}"
state: directory
owner: synapse
group: synapse
loop:
- "{{ matrix_synapse_config.media_store_path }}"
- "{{ matrix_synapse_config.uploads_path }}"
- "{{ matrix_synapse_base_path }}/tls"
- name: Deploy config
copy:
content: "{{ matrix_synapse_config | to_nice_yaml }}"
dest: "{{ matrix_synapse_base_path }}/homeserver.yaml"
owner: synapse
group: synapse
notify:
- "restart matrix-synapse"
- name: Configure logging
import_tasks: logging.yml
- name: Create certificates
include_tasks: crypto.yml

View File

@ -0,0 +1,32 @@
---
- name: Install signedjson
pip:
name: signedjson
- name: Create signing key
matrix_signing_key:
path: "{{ matrix_synapse_config.signing_key_path }}"
notify:
- "restart matrix-synapse"
- name: Write server's certificate and private key
block:
- name: create DH parameters
openssl_dhparam:
path: "{{ matrix_synapse_dh_path }}"
owner: synapse
- name: Write certificate
copy:
content: "{{ matrix_synapse_tls_cert }}"
dest: "{{ matrix_synapse_config.tls_certificate_path }}"
owner: synapse
group: synapse
mode: "0644"
- name: Write keyfile
copy:
content: "{{ matrix_synapse_tls_key }}"
dest: "{{ matrix_synapse_config.tls_private_key_path }}"
owner: synapse
group: synapse
mode: "0600"
when: not matrix_synapse_config.no_tls

View File

@ -0,0 +1,78 @@
---
- name: install synapse with pip into virtualenv
block:
- name: Install dependencies
apt:
name:
- git
- build-essential
- python3-dev
- python-virtualenv
- python-pip
- python-setuptools
- sqlite3
- libffi-dev
- libssl-dev
- libjpeg-dev
- libxslt1-dev
- libpq-dev
state: present
cache_valid_time: 1800
tags:
- pre_install
- name: Create virtualenv
pip:
name:
- pip
- setuptools
virtualenv: "{{ matrix_synapse_base_path }}/env"
virtualenv_python: python3
extra_args: --upgrade
tags:
- pre_install
- name: Clone synapse
git:
repo: https://github.com/matrix-org/synapse
dest: "{{ matrix_synapse_base_path }}/synapse"
accept_hostkey: yes
version: "{{ matrix_synapse_version }}"
register: clone_synapse
tags:
- pre_install
- name: Install Synapse
pip:
name: "{{ matrix_synapse_base_path }}/synapse[matrix-synapse-ldap3,postgres,resources.consent,acme,url_preview]"
virtualenv: "{{ matrix_synapse_base_path }}/env"
when: clone_synapse.changed
tags:
- skip_ansible_lint # skip when clause
- pre_install
notify: restart matrix-synapse
when: matrix_synapse_deployment_method == "pip"
- name: install synapse with docker
docker_container:
name: synapse
image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}"
ports: "{{ matrix_synapse_docker_ports }}"
labels: "{{ matrix_synapse_docker_labels }}"
restart_policy: unless-stopped
recreate: true
pull: true
entrypoint: "python"
command:
- "-m"
- "synapse.app.homeserver"
- "-c"
- "{{ matrix_synapse_base_path }}/homeserver.yaml"
user: "{{ synapse_user.uid }}:{{ synapse_user.group }}"
volumes:
- "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}"
- "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}"
- "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml"
- "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config"
- "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls"
when: matrix_synapse_deployment_method == "docker"

View File

@ -0,0 +1,27 @@
---
- name: Set full file path
set_fact:
secret_file_path: "{{ matrix_synapse_secrets_path }}/{{ secret.file }}"
- name: Check if secret exists
stat:
path: "{{ secret_file_path }}"
register: secret_file_stat
- name: Generate random string
copy:
content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=42') }}"
dest: "{{ secret_file_path }}"
owner: synapse
group: synapse
mode: "0600"
when:
- not secret_file_stat.stat.exists
# TODO: This below is a dirty hack and should be properly revisited
- name: Retrieve secret
slurp:
src: "{{ secret_file_path }}"
register: secret_var
- name: Set secret.var fact
set_fact: { "{{ secret.var }}": "{{ secret_var }}" }

View File

@ -0,0 +1,35 @@
---
- name: Logging config (systemd)
block:
- name: create logging folder
file:
name: "{{ matrix_synapse_log_dir }}"
state: directory
owner: synapse
group: synapse
- name: copy syslog config
template:
src: syslog-synapse.conf.j2
dest: /etc/rsyslog.d/matrix_synapse.conf
owner: root
notify: restart rsyslog
- name: template logrotate config
template:
src: logrotate.j2
dest: /etc/logrotate.d/matrix_synapse
owner: root
when: matrix_synapse_supervision_method == "systemd"
# TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on
- name: Deploy log config
copy:
src: "log.config"
dest: "{{ matrix_synapse_base_path }}/log.config"
owner: synapse
group: synapse
notify:
- "restart matrix-synapse"

View File

@ -0,0 +1,16 @@
---
- name: check that sypervision and deployment are compatible
fail:
msg: "Either both or neither of deployment and supervision method should be docker."
when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or
(matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker")
- name: configure synapse
import_tasks: configure.yml
- name: deploy synapse
import_tasks: deployment.yml
- name: configure service
import_tasks: systemd.yml
when: matrix_synapse_supervision_method == "systemd"

View File

@ -0,0 +1,8 @@
---
- name: Deploy service file
template:
src: "matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
notify:
- "reload systemd"
- "restart matrix-synapse"

View File

@ -0,0 +1,10 @@
{{ ansible_managed | comment }}
/var/log/matrix_synapse/matrix_synapse.log {
daily
rotate {{ matrix_synapse_log_days_keep }}
compress
shred
postrotate
/usr/bin/pkill -HUP rsyslogd
endscript
}

View File

@ -0,0 +1,16 @@
[Unit]
Description="Matrix Synapse Server (synapse)"
[Service]
Type=simple
WorkingDirectory={{ matrix_synapse_base_path }}
ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml
ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml
User=synapse
Group=synapse
Restart=always
StandardOutput=syslog
SyslogIdentifier=matrix_synapse
[Install]
WantedBy=default.target

View File

@ -0,0 +1,2 @@
if $programname == 'matrix_synapse' then {{ matrix_synapse_log_dir }}/matrix_synapse.log
if $programname == 'matrix_synapse' then ~

2
roles/synapse/tests/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
.vagrant
*.retry

25
roles/synapse/tests/Vagrantfile vendored Normal file
View File

@ -0,0 +1,25 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.define "pip" do |pip|
pip.vm.box = "debian/stretch64"
pip.vm.network "forwarded_port", guest: 8008, host: 8008
pip.vm.network "forwarded_port", guest: 8448, host: 8448
pip.vm.provision "ansible" do |ansible|
ansible.playbook = "test-pip.yml"
end
end
config.vm.define "docker" do |docker|
docker.vm.box = "debian/stretch64"
docker.vm.network "forwarded_port", guest: 8008, host: 8009
docker.vm.network "forwarded_port", guest: 8448, host: 8449
docker.vm.provision "ansible" do |ansible|
ansible.playbook = "test-docker.yml"
end
end
end

View File

@ -0,0 +1,3 @@
[defaults]
nocows=1
roles_path=./roles:./../../

View File

@ -0,0 +1,4 @@
---
- role: geerlingguy.pip
- role: geerlingguy.docker
- role: geerlingguy.postgresql

View File

@ -0,0 +1,52 @@
---
- hosts: all
become: true
tasks:
- name: Flush handlers
meta: flush_handlers
- name: Check if the api returns the correct version
uri:
url: "http://localhost:8008/_matrix/federation/v1/version"
return_content: true
register: api_version
until: api_version.status == 200
retries: 10
delay: 2
- name: Check returned api version
fail: >
Return value is not as expected {{ api_version }}
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
vars:
dbname: synapse
dbuser: synapse_user
dbpw: synapse_password
matrix_synapse_deployment_method: docker
matrix_synapse_supervision_method: docker
roles:
- role: geerlingguy.pip
pip_install_packages:
- name: docker
- role: geerlingguy.docker
- role: geerlingguy.postgresql
postgresql_databases:
- name: "{{ dbname }}"
postgresql_users:
- name: "{{ dbuser }}"
password: "{{ dbpw }}"
postgresql_global_config_options:
- option: listen_addresses
value: "172.17.0.1"
postgresql_hba_entries:
- { type: local, database: all, user: all, auth_method: trust }
- { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 }
- role: matrix-ansible-synapse
matrix_server_name: localhost
matrix_synapse_report_stats: false
matrix_synapse_pg_host: 172.17.0.1
matrix_synapse_pg_user: "{{ dbuser }}"
matrix_synapse_pg_pass: "{{ dbpw }}"
matrix_synapse_pg_db: "{{ dbname }}"
matrix_synapse_extra_config:
no_tls: true

View File

@ -0,0 +1,44 @@
---
- hosts: all
become: true
vars:
dbname: synapse
dbuser: synapse_user
dbpw: synapse_password
tasks:
- name: Flush handlers
meta: flush_handlers
- name: Check if the api returns the correct version
uri:
url: "http://localhost:8008/_matrix/federation/v1/version"
return_content: true
register: api_version
until: api_version.status == 200
retries: 10
delay: 2
- name: Check returned api version
fail:
msg: "Return value {{ api_version }} is not as expected {{ matrix_synapse_version }}"
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
roles:
- role: geerlingguy.pip
- role: geerlingguy.postgresql
postgresql_databases:
- name: "{{ dbname }}"
postgresql_users:
- name: "{{ dbuser }}"
password: "{{ dbpw }}"
postgresql_global_config_options:
- option: listen_addresses
value: "*"
- role: matrix-ansible-synapse
matrix_server_name: localhost
matrix_synapse_report_stats: false
matrix_synapse_pg_host: localhost
matrix_synapse_pg_user: "{{ dbuser }}"
matrix_synapse_pg_pass: "{{ dbpw }}"
matrix_synapse_pg_db: "{{ dbname }}"
matrix_synapse_extra_config:
no_tls: true

141
roles/synapse/vars/main.yml Normal file
View File

@ -0,0 +1,141 @@
---
matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}"
matrix_synapse_base_config:
server_name: "{{ matrix_server_name }}"
tls_certificate_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.crt"
tls_private_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.key"
acme:
enabled: false
url: https://acme-v01.api.letsencrypt.org/directory
port: 80
bind_addresses: ['::', '0.0.0.0']
reprovision_threshold: 30
no_tls: false
tls_fingerprints: []
pid_file: "{{ matrix_synapse_base_path }}/synapse.pid"
soft_file_limit: 0
use_presence: true
listeners:
- port: 8448
bind_addresses:
- '::'
- '0.0.0.0'
type: http
tls: true
x_forwarded: false
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
- port: 8008
tls: false
bind_addresses:
- '::'
- '0.0.0.0'
type: http
x_forwarded: false
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
database:
name: "psycopg2"
args:
user: "{{ matrix_synapse_pg_user }}"
password: "{{ matrix_synapse_pg_pass }}"
database: "{{ matrix_synapse_pg_db }}"
host: "{{ matrix_synapse_pg_host }}"
cp_min: 5
cp_max: 10
log_config: "{{ matrix_synapse_base_path }}/log.config"
event_cache_size: "10K"
rc_messages_per_second: 0.2
rc_message_burst_count: 10.0
federation_rc_window_size: 1000
federation_rc_sleep_limit: 10
federation_rc_sleep_delay: 500
federation_rc_reject_limit: 50
federation_rc_concurrent: 3
media_store_path: "{{ matrix_synapse_base_path }}/media_store"
uploads_path: "{{ matrix_synapse_base_path }}/uploads"
max_upload_size: "23M"
max_image_pixels: "32M"
dynamic_thumbnails: false
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 320
height: 240
method: scale
- width: 640
height: 480
method: scale
- width: 800
height: 600
method: scale
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
url_preview_url_blacklist:
- username: '*'
- netloc: 'google.com'
- netloc: '*.google.com'
- netloc: 'twitter.com'
- netloc: '*.twitter.com'
- netloc: 't.co'
- netloc: '*.t.co'
max_spider_size: "10M"
enable_registration: False
registration_shared_secret: >
"{{ registration_shared_secret_file.content | b64decode }}"
form_secret: "{{ form_secret_file.content | b64decode }}"
bcrypt_rounds: 12
allow_guest_access: False
trusted_third_party_id_servers:
- matrix.org
- vector.im
autocreate_auto_join_rooms: true
enable_metrics: False
report_stats: "{{ matrix_synapse_report_stats }}"
room_invite_state_types:
- "m.room.join_rules"
- "m.room.canonical_alias"
- "m.room.avatar"
- "m.room.name"
app_service_config_files: []
track_appservice_user_ips: False
macaroon_secret_key: "{{ macaroon_file.content | b64decode }}"
expire_access_token: False
signing_key_path: "{{ matrix_synapse_signing_key_path }}"
old_signing_keys: {}
key_refresh_interval: "1d" # 1 Day.
# TODO: More servers should be added
perspectives:
servers:
"matrix.org":
verify_keys:
"ed25519:auto":
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
password_config:
enabled: true
push:
include_content: false
enable_group_creation: true
alias_creation_rules:
- user_id: "*"
alias: "*"
action: allow