Compare commits

..

No commits in common. "704a1aaba153c566af57ccc680466ec907bce405" and "57981fdd96605cf92c605d4ce58546bb80f4d162" have entirely different histories.

91 changed files with 1903 additions and 2794 deletions

2
.gitignore vendored
View File

@ -1,3 +1 @@
.vagrant .vagrant
hosts.ini
ubuntu-bionic-18.04-cloudimg-console.log

View File

@ -2,8 +2,6 @@
Playbooks for (relatively) easy sysadmin! Playbooks for (relatively) easy sysadmin!
ansible-galaxy install -r requirements.yml
## With Vagrant ## With Vagrant
1. Install Vagrant 1. Install Vagrant
2. `vagrant up` 2. `vagrant up`

72
Vagrantfile vendored Normal file
View File

@ -0,0 +1,72 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "ubuntu/bionic64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
config.vm.network "forwarded_port", guest: 8008, host: 8008, host_ip: "127.0.0.1"
config.vm.network "forwarded_port", guest: 8448, host: 8448, host_ip: "127.0.0.1"
config.vm.network "forwarded_port", guest: 443, host: 443, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |vb|
# Display the VirtualBox GUI when booting the machine
# vb.gui = true
# Customize the amount of memory on the VM:
vb.memory = "4096"
end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
# config.vm.provision "shell", inline: <<-SHELL
# apt-get update
# apt-get install -y apache2
# SHELL
end

3
certificate.yml Normal file
View File

@ -0,0 +1,3 @@
# Correctly setup Let's Encrypt certificate renewal
# https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html
# https://github.com/geerlingguy/ansible-role-certbot

3
group_vars/all/vars.yml Normal file
View File

@ -0,0 +1,3 @@
synapse_dbname: synapse
synapse_dbuser: synapse_db
synapse_dbpw: synapse_db

View File

@ -1 +1 @@
sonic-preprod ansible_connection=ssh ansible_user=root ansible_password=rootroot ansible_host=192.168.42.4 ansible_become=yes synapse ansible_user=vagrant ansible_host="127.0.0.1" ansible_port="2222" ansible_ssh_private_key_file=".vagrant/machines/default/virtualbox/private_key" ansible_become=yes

View File

@ -1,17 +0,0 @@
---
- hosts:
- sonic-preprod
handlers:
- name: reboot
reboot:
pre_tasks:
- apt:
update_cache: yes
# - apt:
# name: python-pip
# roles:
# - geerlingguy.pip
# - import_playbook: nginx-certbot.yml
- import_playbook: matrix.yml

View File

@ -1,11 +0,0 @@
# https://github.com/tulir/mautrix-telegram/wiki/Bridge-setup-with-Docker
# version: "3.7"
# services:
# mautrix-telegram:
# container_name: mautrix-telegram
# image: dock.mau.dev/tulir/mautrix-telegram:<version>
# restart: unless-stopped
# volumes:
# - .:/data

View File

@ -1,41 +0,0 @@
---
- hosts: synapse
# todo: create user for synapse
vars:
matrix_synapse_version: "v1.5.1-py3"
# matrix_synapse_version: "v1.5.1"
matrix_server_name: matrix-sonic-beta.local
matrix_bind_address: "192.168.42.4"
matrix_synapse_pg_host: synapse-postgres # does it need to be an IP?
matrix_synapse_db_name: psycopg2
matrix_synapse_pg_user: "synapse"
matrix_synapse_pg_pass: "pomme"
matrix_synapse_pg_db: "synapse"
matrix_registration_shared_secret: "xxxxx"
matrix_synapse_report_stats: false
matrix_synapse_config_path: "/etc/matrix-synapse/homeserver.yaml"
# to implement
# matrix_no_tls: true
tasks:
# - docker_volume:
# name: synapse-data
- template:
src: templates/synapse_homeserver.yaml.j2
dest: {{ matrix_synapse_config_path }}
- template:
src: templates/docker-compose-matrix.yml.j2
dest: /etc/docker/docker-compose.yml
- name: Create and start matrix services
docker_compose:
project_src: matrix
register: output
# uploads_path: "/var/lib/matrix-synapse/uploads"
# media_store_path: "/var/lib/matrix-synapse/media"

1
nextcloud.yml Normal file
View File

@ -0,0 +1 @@
# Nextcloud with Calendar, Notes and Kanban enabled.

21
postgres.yml Normal file
View File

@ -0,0 +1,21 @@
- hosts: synapse
tasks:
- pip:
name: psycopg2
state: present
roles:
- role: geerlingguy.postgresql
postgresql_databases:
- name: "{{ synapse_dbname }}"
postgresql_users:
- name: "{{ synapse_dbuser }}"
password: "{{ synapse_dbpw }}"
postgresql_global_config_options:
- option: listen_addresses
value: "*"
# username: "postgres",
# password: "postgres",
# database: "imago_dev",
# hostname: "localhost",

View File

@ -1,8 +1,6 @@
# from galaxy # from galaxy
# - src: geerlingguy.pip - src: geerlingguy.pip
# - src: geerlingguy.postgresql - src: geerlingguy.postgresql
# - src: https://github.com/geerlingguy/ansible-role-certbot
# scm: git
# from GitHub, overriding the name and specifying a specific tag # from GitHub, overriding the name and specifying a specific tag
# - src: https://github.com/bennojoy/nginx # - src: https://github.com/bennojoy/nginx
@ -15,6 +13,6 @@
# from GitLab or other git-based scm, using git+ssh # from GitLab or other git-based scm, using git+ssh
# - src: https://gitlab.com/famedly/ansible/synapse - src: https://gitlab.com/famedly/ansible/synapse
# scm: git scm: git
# version: "0.1" # quoted, so YAML doesn't parse this as a floating-point value # version: "0.1" # quoted, so YAML doesn't parse this as a floating-point value

3
roles/geerlingguy.pip/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

View File

@ -0,0 +1,29 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: pip
matrix:
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: fedora29
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View File

@ -0,0 +1,76 @@
# Ansible Role: Pip (for Python)
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-pip.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-pip)
An Ansible Role that installs [Pip](https://pip.pypa.io) on Linux.
## Requirements
On RedHat/CentOS, you may need to have EPEL installed before running this role. You can use the `geerlingguy.repo-epel` role if you need a simple way to ensure it's installed.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
pip_package: python-pip
The name of the packge to install to get `pip` on the system. You can set to `python3-pip`, for example, when using Python 3 on Ubuntu.
pip_executable: pip
The role will try to autodetect the pip executable based on the `pip_package` (e.g. `pip` for Python 2 and `pip3` for Python 3). You can also override this explicitly, e.g. `pip_executable: pip3.6`.
pip_install_packages: []
A list of packages to install with pip. Examples below:
pip_install_packages:
# Specify names and versions.
- name: docker
version: "1.2.3"
- name: awscli
version: "1.11.91"
# Or specify bare packages to get the latest release.
- docker
- awscli
# Or uninstall a package.
- name: docker
state: absent
# Or update a package ot the latest version.
- name: docker
state: latest
# Or force a reinstall.
- name: docker
state: forcereinstall
# Or install a package in a particular virtualenv.
- name: docker
virtualenv: /my_app/venv
## Dependencies
None.
## Example Playbook
- hosts: all
vars:
pip_install_packages:
- name: docker
- name: awscli
roles:
- geerlingguy.pip
## License
MIT / BSD
## Author Information
This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

View File

@ -0,0 +1,6 @@
---
# For Python 3, use python3-pip.
pip_package: python-pip
pip_executable: "{{ 'pip3' if pip_package.startswith('python3') else 'pip' }}"
pip_install_packages: []

View File

@ -0,0 +1,2 @@
install_date: Tue Sep 24 09:13:41 2019
version: 1.3.0

View File

@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: Pip (Python package manager) for Linux.
issue_tracker_url: https://github.com/geerlingguy/ansible-role-pip/issues
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- system
- server
- packaging
- python
- pip
- tools

View File

@ -0,0 +1,29 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
options:
config-file: molecule/default/yaml-lint.yml
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

View File

@ -0,0 +1,20 @@
---
- name: Converge
hosts: all
become: true
vars:
pip_install_packages:
# Test installing a specific version of a package.
- name: ipaddress
version: "1.0.18"
# Test installing a package by name.
- colorama
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
roles:
- role: geerlingguy.pip

View File

@ -0,0 +1,14 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_hosts_file(host):
f = host.file('/etc/hosts')
assert f.exists
assert f.user == 'root'
assert f.group == 'root'

View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

View File

@ -0,0 +1,14 @@
---
- name: Ensure Pip is installed.
package:
name: "{{ pip_package }}"
state: present
- name: Ensure pip_install_packages are installed.
pip:
name: "{{ item.name | default(item) }}"
version: "{{ item.version | default(omit) }}"
virtualenv: "{{ item.virtualenv | default(omit) }}"
state: "{{ item.state | default(omit) }}"
executable: "{{ pip_executable }}"
with_items: "{{ pip_install_packages }}"

View File

@ -0,0 +1,3 @@
skip_list:
- '405'
- '503'

View File

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

View File

@ -0,0 +1,31 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: postgresql
matrix:
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: fedora30
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View File

@ -0,0 +1,145 @@
# Ansible Role: PostgreSQL
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-postgresql.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-postgresql)
Installs and configures PostgreSQL server on RHEL/CentOS or Debian/Ubuntu servers.
## Requirements
No special requirements; note that this role requires root access, so either run it in a playbook with a global `become: yes`, or invoke the role in your playbook like:
- hosts: database
roles:
- role: geerlingguy.postgresql
become: yes
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
postgresql_enablerepo: ""
(RHEL/CentOS only) You can set a repo to use for the PostgreSQL installation by passing it in here.
postgresql_restarted_state: "restarted"
Set the state of the service when configuration changes are made. Recommended values are `restarted` or `reloaded`.
postgresql_python_library: python-psycopg2
Library used by Ansible to communicate with PostgreSQL. If you are using Python 3 (e.g. set via `ansible_python_interpreter`), you should change this to `python3-psycopg2`.
postgresql_user: postgres
postgresql_group: postgres
The user and group under which PostgreSQL will run.
postgresql_unix_socket_directories:
- /var/run/postgresql
The directories (usually one, but can be multiple) where PostgreSQL's socket will be created.
postgresql_service_state: started
postgresql_service_enabled: true
Control the state of the postgresql service and whether it should start at boot time.
postgresql_global_config_options:
- option: unix_socket_directories
value: '{{ postgresql_unix_socket_directories | join(",") }}'
Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.
postgresql_hba_entries:
- { type: local, database: all, user: postgres, auth_method: peer }
- { type: local, database: all, user: all, auth_method: peer }
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. Options for entries include:
- `type` (required)
- `database` (required)
- `user` (required)
- `address` (one of this or the following two are required)
- `ip_address`
- `ip_mask`
- `auth_method` (required)
- `auth_options` (optional)
If overriding, make sure you copy all of the existing entries from `defaults/main.yml` if you need to preserve existing entries.
postgresql_locales:
- 'en_US.UTF-8'
(Debian/Ubuntu only) Used to generate the locales used by PostgreSQL databases.
postgresql_databases:
- name: exampledb # required; the rest are optional
lc_collate: # defaults to 'en_US.UTF-8'
lc_ctype: # defaults to 'en_US.UTF-8'
encoding: # defaults to 'UTF-8'
template: # defaults to 'template0'
login_host: # defaults to 'localhost'
login_password: # defaults to not set
login_user: # defaults to 'postgresql_user'
login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
port: # defaults to not set
owner: # defaults to postgresql_user
state: # defaults to 'present'
A list of databases to ensure exist on the server. Only the `name` is required; all other properties are optional.
postgresql_users:
- name: jdoe #required; the rest are optional
password: # defaults to not set
encrypted: # defaults to not set
priv: # defaults to not set
role_attr_flags: # defaults to not set
db: # defaults to not set
login_host: # defaults to 'localhost'
login_password: # defaults to not set
login_user: # defaults to '{{ postgresql_user }}'
login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
port: # defaults to not set
state: # defaults to 'present'
A list of users to ensure exist on the server. Only the `name` is required; all other properties are optional.
postgresql_version: [OS-specific]
postgresql_data_dir: [OS-specific]
postgresql_bin_path: [OS-specific]
postgresql_config_path: [OS-specific]
postgresql_daemon: [OS-specific]
postgresql_packages: [OS-specific]
OS-specific variables that are set by include files in this role's `vars` directory. These shouldn't be overridden unless you're using a version of PostgreSQL that wasn't installed using system packages.
## Dependencies
None.
## Example Playbook
- hosts: database
become: yes
vars_files:
- vars/main.yml
roles:
- geerlingguy.postgresql
*Inside `vars/main.yml`*:
postgresql_databases:
- name: example_db
postgresql_users:
- name: example_user
password: supersecure
## License
MIT / BSD
## Author Information
This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

View File

@ -0,0 +1,64 @@
---
# RHEL/CentOS only. Set a repository to use for PostgreSQL installation.
postgresql_enablerepo: ""
# Set postgresql state when configuration changes are made. Recommended values:
# `restarted` or `reloaded`
postgresql_restarted_state: "restarted"
postgresql_python_library: python-psycopg2
postgresql_user: postgres
postgresql_group: postgres
postgresql_unix_socket_directories:
- /var/run/postgresql
postgresql_service_state: started
postgresql_service_enabled: true
# Global configuration options that will be set in postgresql.conf.
postgresql_global_config_options:
- option: unix_socket_directories
value: '{{ postgresql_unix_socket_directories | join(",") }}'
# Host based authentication (hba) entries to be added to the pg_hba.conf. This
# variable's defaults reflect the defaults that come with a fresh installation.
postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
# Debian only. Used to generate the locales used by PostgreSQL databases.
postgresql_locales:
- 'en_US.UTF-8'
# Databases to ensure exist.
postgresql_databases: []
# - name: exampledb # required; the rest are optional
# lc_collate: # defaults to 'en_US.UTF-8'
# lc_ctype: # defaults to 'en_US.UTF-8'
# encoding: # defaults to 'UTF-8'
# template: # defaults to 'template0'
# login_host: # defaults to 'localhost'
# login_password: # defaults to not set
# login_user: # defaults to '{{ postgresql_user }}'
# login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
# port: # defaults to not set
# owner: # defaults to postgresql_user
# state: # defaults to 'present'
# Users to ensure exist.
postgresql_users: []
# - name: jdoe #required; the rest are optional
# password: # defaults to not set
# encrypted: # defaults to not set
# priv: # defaults to not set
# role_attr_flags: # defaults to not set
# db: # defaults to not set
# login_host: # defaults to 'localhost'
# login_password: # defaults to not set
# login_user: # defaults to '{{ postgresql_user }}'
# login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
# port: # defaults to not set
# state: # defaults to 'present'

View File

@ -0,0 +1,6 @@
---
- name: restart postgresql
service:
name: "{{ postgresql_daemon }}"
state: "{{ postgresql_restarted_state }}"
sleep: 5

View File

@ -0,0 +1,2 @@
install_date: Tue Sep 24 09:13:46 2019
version: 2.0.0

View File

@ -0,0 +1,33 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: PostgreSQL server for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- 29
- 30
- name: Ubuntu
versions:
- xenial
- bionic
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
galaxy_tags:
- database
- postgresql
- postgres
- rdbms

View File

@ -0,0 +1,29 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
options:
config-file: molecule/default/yaml-lint.yml
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

View File

@ -0,0 +1,46 @@
---
- name: Converge
hosts: all
become: true
vars:
postgresql_databases:
- name: example
postgresql_users:
- name: jdoe
pre_tasks:
# The Fedora 30+ container images have only C.UTF-8 installed
- name: Set database locale if using Fedora 30+
set_fact:
postgresql_databases:
- name: example
lc_collate: 'C.UTF-8'
lc_ctype: 'C.UTF-8'
when:
- ansible_distribution == 'Fedora'
- ansible_distribution_major_version >= '30'
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Set custom variables for old CentOS 6 PostgreSQL install.
set_fact:
postgresql_hba_entries: []
postgresql_global_config_options:
- option: unix_socket_directory
value: '{{ postgresql_unix_socket_directories[0] }}'
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_version.split('.')[0] == '6'
roles:
- role: geerlingguy.postgresql
post_tasks:
- name: Verify postgres is running.
command: "{{ postgresql_bin_path }}/pg_ctl -D {{ postgresql_data_dir }} status"
changed_when: false
become: true
become_user: postgres

View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

View File

@ -0,0 +1,28 @@
---
- name: Configure global settings.
lineinfile:
dest: "{{ postgresql_config_path }}/postgresql.conf"
regexp: "^#?{{ item.option }}.+$"
line: "{{ item.option }} = '{{ item.value }}'"
state: "{{ item.state | default('present') }}"
with_items: "{{ postgresql_global_config_options }}"
notify: restart postgresql
- name: Configure host based authentication (if entries are configured).
template:
src: "pg_hba.conf.j2"
dest: "{{ postgresql_config_path }}/pg_hba.conf"
owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
mode: 0600
notify: restart postgresql
when: postgresql_hba_entries | length > 0
- name: Ensure PostgreSQL unix socket dirs exist.
file:
path: "{{ item }}"
state: directory
owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
mode: 02775
with_items: "{{ postgresql_unix_socket_directories }}"

View File

@ -0,0 +1,21 @@
---
- name: Ensure PostgreSQL databases are present.
postgresql_db:
name: "{{ item.name }}"
lc_collate: "{{ item.lc_collate | default('en_US.UTF-8') }}"
lc_ctype: "{{ item.lc_ctype | default('en_US.UTF-8') }}"
encoding: "{{ item.encoding | default('UTF-8') }}"
template: "{{ item.template | default('template0') }}"
login_host: "{{ item.login_host | default('localhost') }}"
login_password: "{{ item.login_password | default(omit) }}"
login_user: "{{ item.login_user | default(postgresql_user) }}"
login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
port: "{{ item.port | default(omit) }}"
owner: "{{ item.owner | default(postgresql_user) }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ postgresql_databases }}"
become: true
become_user: "{{ postgresql_user }}"
# See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
vars:
ansible_ssh_pipelining: true

View File

@ -0,0 +1,29 @@
---
- name: Set PostgreSQL environment variables.
template:
src: postgres.sh.j2
dest: /etc/profile.d/postgres.sh
mode: 0644
notify: restart postgresql
- name: Ensure PostgreSQL data directory exists.
file:
path: "{{ postgresql_data_dir }}"
owner: "{{ postgresql_user }}"
group: "{{ postgresql_group }}"
state: directory
mode: 0700
- name: Check if PostgreSQL database is initialized.
stat:
path: "{{ postgresql_data_dir }}/PG_VERSION"
register: pgdata_dir_version
- name: Ensure PostgreSQL database is initialized.
command: "{{ postgresql_bin_path }}/initdb -D {{ postgresql_data_dir }}"
when: not pgdata_dir_version.stat.exists
become: true
become_user: "{{ postgresql_user }}"
# See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
vars:
ansible_ssh_pipelining: true

View File

@ -0,0 +1,23 @@
---
# Variable configuration.
- include_tasks: variables.yml
# Setup/install tasks.
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
- include_tasks: initialize.yml
- include_tasks: configure.yml
- name: Ensure PostgreSQL is started and enabled on boot.
service:
name: "{{ postgresql_daemon }}"
state: "{{ postgresql_service_state }}"
enabled: "{{ postgresql_service_enabled }}"
# Configure PostgreSQL.
- import_tasks: users.yml
- import_tasks: databases.yml

View File

@ -0,0 +1,21 @@
---
- name: Ensure PostgreSQL Python libraries are installed.
apt:
name: "{{ postgresql_python_library }}"
state: present
- name: Ensure PostgreSQL packages are installed.
apt:
name: "{{ postgresql_packages }}"
state: present
- name: Ensure all configured locales are present.
locale_gen: "name={{ item }} state=present"
with_items: "{{ postgresql_locales }}"
register: locale_gen_result
- name: Force-restart PostgreSQL after new locales are generated.
service:
name: "{{ postgresql_daemon }}"
state: restarted
when: locale_gen_result.changed

View File

@ -0,0 +1,16 @@
---
- name: Ensure PostgreSQL packages are installed.
yum:
name: "{{ postgresql_packages }}"
state: present
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"
# Don't let postgresql-contrib cause the /usr/bin/python symlink
# to be installed, which breaks later Ansible runs on Fedora 30,
# and affects system behavior in multiple ways.
exclude: python-unversioned-command
- name: Ensure PostgreSQL Python libraries are installed.
yum:
name: "{{ postgresql_python_library }}"
state: present
enablerepo: "{{ postgresql_enablerepo | default(omit, true) }}"

View File

@ -0,0 +1,22 @@
---
- name: Ensure PostgreSQL users are present.
postgresql_user:
name: "{{ item.name }}"
password: "{{ item.password | default(omit) }}"
encrypted: "{{ item.encrypted | default(omit) }}"
priv: "{{ item.priv | default(omit) }}"
role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
db: "{{ item.db | default(omit) }}"
login_host: "{{ item.login_host | default('localhost') }}"
login_password: "{{ item.login_password | default(omit) }}"
login_user: "{{ item.login_user | default(postgresql_user) }}"
login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
port: "{{ item.port | default(omit) }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ postgresql_users }}"
no_log: true
become: true
become_user: "{{ postgresql_user }}"
# See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
vars:
ansible_ssh_pipelining: true

View File

@ -0,0 +1,45 @@
---
# Variable configuration.
- name: Include OS-specific variables (Debian).
include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_os_family == 'Debian'
- name: Include OS-specific variables (RedHat).
include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
when:
- ansible_os_family == 'RedHat'
- ansible_distribution != 'Fedora'
- name: Include OS-specific variables (Fedora).
include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_distribution == 'Fedora'
- name: Define postgresql_packages.
set_fact:
postgresql_packages: "{{ __postgresql_packages | list }}"
when: postgresql_packages is not defined
- name: Define postgresql_version.
set_fact:
postgresql_version: "{{ __postgresql_version }}"
when: postgresql_version is not defined
- name: Define postgresql_daemon.
set_fact:
postgresql_daemon: "{{ __postgresql_daemon }}"
when: postgresql_daemon is not defined
- name: Define postgresql_data_dir.
set_fact:
postgresql_data_dir: "{{ __postgresql_data_dir }}"
when: postgresql_data_dir is not defined
- name: Define postgresql_bin_path.
set_fact:
postgresql_bin_path: "{{ __postgresql_bin_path }}"
when: postgresql_bin_path is not defined
- name: Define postgresql_config_path.
set_fact:
postgresql_config_path: "{{ __postgresql_config_path }}"
when: postgresql_config_path is not defined

View File

@ -0,0 +1,9 @@
{{ ansible_managed | comment }}
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
{% for client in postgresql_hba_entries %}
{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
{% endfor %}

View File

@ -0,0 +1,2 @@
export PGDATA={{ postgresql_data_dir }}
export PATH=$PATH:{{ postgresql_bin_path }}

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "11"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "9.1"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "9.4"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "9.6"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,12 @@
---
__postgresql_version: "10.5"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs
postgresql_python_library: python2-psycopg2

View File

@ -0,0 +1,13 @@
---
__postgresql_version: "11.2"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs
# Fedora 30 containers only have python3 by default
postgresql_python_library: python3-psycopg2

View File

@ -0,0 +1,11 @@
---
__postgresql_version: "8.4"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs

View File

@ -0,0 +1,11 @@
---
__postgresql_version: "9.2"
__postgresql_data_dir: "/var/lib/pgsql/data"
__postgresql_bin_path: "/usr/bin"
__postgresql_config_path: "/var/lib/pgsql/data"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-server
- postgresql-contrib
- postgresql-libs

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "9.5"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,10 @@
---
__postgresql_version: "10"
__postgresql_data_dir: "/var/lib/postgresql/{{ __postgresql_version }}/main"
__postgresql_bin_path: "/usr/lib/postgresql/{{ __postgresql_version }}/bin"
__postgresql_config_path: "/etc/postgresql/{{ __postgresql_version }}/main"
__postgresql_daemon: postgresql
__postgresql_packages:
- postgresql
- postgresql-contrib
- libpq-dev

View File

@ -0,0 +1,7 @@
root = true
trim_trailing_whitespace = true
[*.yml]
insert_final_newline = true
indent_style = space
indent_size = 2

1
roles/synapse/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
tests/roles/

View File

@ -0,0 +1,24 @@
---
# -*- coding: utf-8 -*-
before_script:
- apt-get update -qy
- apt-get install -y python-dev python-pip
- git submodule update --init
- pip install --upgrade ansible ansible-lint
- ansible --version
- ansible-lint --version
stages:
- ansible-lint
- ansible-syntax-check
ansible-lint-pip:
stage: ansible-lint
script:
- ansible-lint tests/test-pip.yml
ansible-lint-docker:
stage: ansible-lint
script:
- ansible-lint tests/test-docker.yml

64
roles/synapse/README.md Normal file
View File

@ -0,0 +1,64 @@
# matrix-synapse
Install a matrix synapse server.
## Requirements
The following should be present on the target system
* `pip`
* `systemd`
* `rsyslogd`
* `logrotate`
## Role Variables
### Mandatory Variables
| Name | Type | Description |
| :--- | :--- | :--- |
| **matrix_server_name** | __string__ | |
| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain (_when matrix_synapse_extra_config.no_tls is set to true_)|
| **matrix_synapse_tls_key** | __string__ | server's TLS key (_when matrix_synapse_extra_config.no_tls is set to true_)|
| **matrix_synapse_report_stats** | __bool__ | Report the stats to matrix.org |
| **matrix_synapse_pg_host** | __sting__ | postgresql server |
| **matrix_synapse_pg_user** | __string__ | postgresql user |
| **matrix_synapse_pg_pass** | __string__ | postgresql user's password |
| **matrix_synapse_pg_db** | __string__ | postgresql database |
### Optional Variables
| Name | Value | Description |
| :--- | :--- | :--- |
| matrix_synapse_base_path | "/opt/synapse" |
| matrix_synapse_secrets_path | "{{ matrix_synapse_base_path }}/secrets"
| matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) |
| matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" |
| matrix_synapse_baseurl | "https://{{ matrix_server_name }}" |
| matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" |
| matrix_synapse_version | "v1.0.0" |
| matrix_synapse_log_days_keep | 30 |
| matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) |
| matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) |
| matrix_synapse_python_version | 3 | Default python version (2, 3) to be used |
<a name="footnote_1">¹</a>: Docker must be used for both or neither deployment and supervision
## Dependencies
__None__.
## Example Playbook
```yaml
#TODO: Add example
```
## License
Apache 2.0
# Author Information
* Michael Kaye
* Jan Christian Grünhage
* Emmanouil Kampitakis

1
roles/synapse/TODO.md Normal file
View File

@ -0,0 +1 @@
- Write a handler to restart the systemd service when upgrading

View File

@ -0,0 +1,15 @@
---
matrix_synapse_extra_config: {}
matrix_synapse_deployment_method: pip
matrix_synapse_supervision_method: systemd
matrix_synapse_base_path: "/opt/synapse"
matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets"
matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh"
matrix_synapse_baseurl: "https://{{ matrix_server_name }}"
matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key"
matrix_synapse_version: "v1.3.1"
matrix_synapse_log_dir: "/var/log/matrix_synapse"
matrix_synapse_log_days_keep: 30
matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid"
matrix_synapse_docker_ports: ["8008:8008", "8448:8448"]
matrix_synapse_docker_labels: {}

View File

@ -0,0 +1,29 @@
version: 1
formatters:
precise:
format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: precise
filters: [context]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [console]

View File

@ -0,0 +1,27 @@
---
- name: "reload systemd"
systemd:
daemon_reload: yes
- name: "restart matrix-synapse using systemd"
service:
name: "matrix-synapse"
state: restarted
enabled: yes
when: matrix_synapse_supervision_method == "systemd"
listen: "restart matrix-synapse"
- name: "restart synapse using docker"
docker_container:
name: synapse
state: started
restart: yes
when: matrix_synapse_supervision_method == "docker"
listen: "restart matrix-synapse"
- name: restart rsyslog
become: yes
service:
name: rsyslog
state: restarted
when: matrix_synapse_supervision_method == "systemd"

View File

@ -0,0 +1,51 @@
#!/bin/python3
# Copyright: (c) 2018, Emmanouil Kampitakis <info@kampitakis.de>
# Apache 2.0
from ansible.module_utils.basic import AnsibleModule
from signedjson import key
import os
def write_signing_key(path):
with open(path,'w') as f:
key.write_signing_keys(
f,
[key.generate_signing_key('first')]
)
def run_module():
module_args = dict(
path=dict(type='str', required=True),
)
result = dict(
changed=False,
original_message='',
message=''
)
module = AnsibleModule(
argument_spec=module_args,
supports_check_mode=True
)
signing_key_path = module.params['path']
signing_key_exists = os.path.isfile(signing_key_path)
if not signing_key_exists:
result['changed'] = True
if module.check_mode:
return result
write_signing_key(signing_key_path)
module.exit_json(**result)
def main():
run_module()
if __name__ == '__main__':
main()

View File

@ -0,0 +1,2 @@
install_date: Tue Sep 24 09:13:48 2019
version: ''

View File

@ -0,0 +1,16 @@
galaxy_info:
author: michaelkaye
description: Deploys a synapse server
license: Apache 2.0
min_ansible_version: 2.0
platforms:
- name: Debian
versions:
- jessie
galaxy_tags: []
dependencies: []

1
roles/synapse/synapse Symbolic link
View File

@ -0,0 +1 @@
synapse

View File

@ -0,0 +1,64 @@
---
- name: create user
user:
name: synapse
state: present
register: synapse_user
tags:
- pre_install
- name: create directory
file:
path: "{{ matrix_synapse_base_path }}"
state: directory
owner: synapse
group: synapse
tags:
- pre_install
- name: Create secrets directory
file:
path: "{{ matrix_synapse_secrets_path }}"
state: directory
owner: synapse
group: synapse
tags:
- pre_install
- name: Generate secrets
include_tasks: generate_secret.yml
loop:
- file: "macaroon.key"
var: "macaroon_file"
- file: "registration.key"
var: "registration_shared_secret_file"
- file: "form.key"
var: "form_secret_file"
loop_control:
loop_var: secret
- name: Create directory for media storage
file:
path: "{{ item }}"
state: directory
owner: synapse
group: synapse
loop:
- "{{ matrix_synapse_config.media_store_path }}"
- "{{ matrix_synapse_config.uploads_path }}"
- "{{ matrix_synapse_base_path }}/tls"
- name: Deploy config
copy:
content: "{{ matrix_synapse_config | to_nice_yaml }}"
dest: "{{ matrix_synapse_base_path }}/homeserver.yaml"
owner: synapse
group: synapse
notify:
- "restart matrix-synapse"
- name: Configure logging
import_tasks: logging.yml
- name: Create certificates
include_tasks: crypto.yml

View File

@ -0,0 +1,32 @@
---
- name: Install signedjson
pip:
name: signedjson
- name: Create signing key
matrix_signing_key:
path: "{{ matrix_synapse_config.signing_key_path }}"
notify:
- "restart matrix-synapse"
- name: Write server's certificate and private key
block:
- name: create DH parameters
openssl_dhparam:
path: "{{ matrix_synapse_dh_path }}"
owner: synapse
- name: Write certificate
copy:
content: "{{ matrix_synapse_tls_cert }}"
dest: "{{ matrix_synapse_config.tls_certificate_path }}"
owner: synapse
group: synapse
mode: "0644"
- name: Write keyfile
copy:
content: "{{ matrix_synapse_tls_key }}"
dest: "{{ matrix_synapse_config.tls_private_key_path }}"
owner: synapse
group: synapse
mode: "0600"
when: not matrix_synapse_config.no_tls

View File

@ -0,0 +1,78 @@
---
- name: install synapse with pip into virtualenv
block:
- name: Install dependencies
apt:
name:
- git
- build-essential
- python3-dev
- python-virtualenv
- python-pip
- python-setuptools
- sqlite3
- libffi-dev
- libssl-dev
- libjpeg-dev
- libxslt1-dev
- libpq-dev
state: present
cache_valid_time: 1800
tags:
- pre_install
- name: Create virtualenv
pip:
name:
- pip
- setuptools
virtualenv: "{{ matrix_synapse_base_path }}/env"
virtualenv_python: python3
extra_args: --upgrade
tags:
- pre_install
- name: Clone synapse
git:
repo: https://github.com/matrix-org/synapse
dest: "{{ matrix_synapse_base_path }}/synapse"
accept_hostkey: yes
version: "{{ matrix_synapse_version }}"
register: clone_synapse
tags:
- pre_install
- name: Install Synapse
pip:
name: "{{ matrix_synapse_base_path }}/synapse[matrix-synapse-ldap3,postgres,resources.consent,acme,url_preview]"
virtualenv: "{{ matrix_synapse_base_path }}/env"
when: clone_synapse.changed
tags:
- skip_ansible_lint # skip when clause
- pre_install
notify: restart matrix-synapse
when: matrix_synapse_deployment_method == "pip"
- name: install synapse with docker
docker_container:
name: synapse
image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}"
ports: "{{ matrix_synapse_docker_ports }}"
labels: "{{ matrix_synapse_docker_labels }}"
restart_policy: unless-stopped
recreate: true
pull: true
entrypoint: "python"
command:
- "-m"
- "synapse.app.homeserver"
- "-c"
- "{{ matrix_synapse_base_path }}/homeserver.yaml"
user: "{{ synapse_user.uid }}:{{ synapse_user.group }}"
volumes:
- "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}"
- "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}"
- "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml"
- "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config"
- "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls"
when: matrix_synapse_deployment_method == "docker"

View File

@ -0,0 +1,27 @@
---
- name: Set full file path
set_fact:
secret_file_path: "{{ matrix_synapse_secrets_path }}/{{ secret.file }}"
- name: Check if secret exists
stat:
path: "{{ secret_file_path }}"
register: secret_file_stat
- name: Generate random string
copy:
content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=42') }}"
dest: "{{ secret_file_path }}"
owner: synapse
group: synapse
mode: "0600"
when:
- not secret_file_stat.stat.exists
# TODO: This below is a dirty hack and should be properly revisited
- name: Retrieve secret
slurp:
src: "{{ secret_file_path }}"
register: secret_var
- name: Set secret.var fact
set_fact: { "{{ secret.var }}": "{{ secret_var }}" }

View File

@ -0,0 +1,35 @@
---
- name: Logging config (systemd)
block:
- name: create logging folder
file:
name: "{{ matrix_synapse_log_dir }}"
state: directory
owner: synapse
group: synapse
- name: copy syslog config
template:
src: syslog-synapse.conf.j2
dest: /etc/rsyslog.d/matrix_synapse.conf
owner: root
notify: restart rsyslog
- name: template logrotate config
template:
src: logrotate.j2
dest: /etc/logrotate.d/matrix_synapse
owner: root
when: matrix_synapse_supervision_method == "systemd"
# TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on
- name: Deploy log config
copy:
src: "log.config"
dest: "{{ matrix_synapse_base_path }}/log.config"
owner: synapse
group: synapse
notify:
- "restart matrix-synapse"

View File

@ -0,0 +1,16 @@
---
- name: check that sypervision and deployment are compatible
fail:
msg: "Either both or neither of deployment and supervision method should be docker."
when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or
(matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker")
- name: configure synapse
import_tasks: configure.yml
- name: deploy synapse
import_tasks: deployment.yml
- name: configure service
import_tasks: systemd.yml
when: matrix_synapse_supervision_method == "systemd"

View File

@ -0,0 +1,8 @@
---
- name: Deploy service file
template:
src: "matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
notify:
- "reload systemd"
- "restart matrix-synapse"

View File

@ -0,0 +1,10 @@
{{ ansible_managed | comment }}
/var/log/matrix_synapse/matrix_synapse.log {
daily
rotate {{ matrix_synapse_log_days_keep }}
compress
shred
postrotate
/usr/bin/pkill -HUP rsyslogd
endscript
}

View File

@ -0,0 +1,16 @@
[Unit]
Description="Matrix Synapse Server (synapse)"
[Service]
Type=simple
WorkingDirectory={{ matrix_synapse_base_path }}
ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml
ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml
User=synapse
Group=synapse
Restart=always
StandardOutput=syslog
SyslogIdentifier=matrix_synapse
[Install]
WantedBy=default.target

View File

@ -0,0 +1,2 @@
if $programname == 'matrix_synapse' then {{ matrix_synapse_log_dir }}/matrix_synapse.log
if $programname == 'matrix_synapse' then ~

2
roles/synapse/tests/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
.vagrant
*.retry

25
roles/synapse/tests/Vagrantfile vendored Normal file
View File

@ -0,0 +1,25 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.define "pip" do |pip|
pip.vm.box = "debian/stretch64"
pip.vm.network "forwarded_port", guest: 8008, host: 8008
pip.vm.network "forwarded_port", guest: 8448, host: 8448
pip.vm.provision "ansible" do |ansible|
ansible.playbook = "test-pip.yml"
end
end
config.vm.define "docker" do |docker|
docker.vm.box = "debian/stretch64"
docker.vm.network "forwarded_port", guest: 8008, host: 8009
docker.vm.network "forwarded_port", guest: 8448, host: 8449
docker.vm.provision "ansible" do |ansible|
ansible.playbook = "test-docker.yml"
end
end
end

View File

@ -0,0 +1,3 @@
[defaults]
nocows=1
roles_path=./roles:./../../

View File

@ -0,0 +1,4 @@
---
- role: geerlingguy.pip
- role: geerlingguy.docker
- role: geerlingguy.postgresql

View File

@ -0,0 +1,52 @@
---
- hosts: all
become: true
tasks:
- name: Flush handlers
meta: flush_handlers
- name: Check if the api returns the correct version
uri:
url: "http://localhost:8008/_matrix/federation/v1/version"
return_content: true
register: api_version
until: api_version.status == 200
retries: 10
delay: 2
- name: Check returned api version
fail: >
Return value is not as expected {{ api_version }}
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
vars:
dbname: synapse
dbuser: synapse_user
dbpw: synapse_password
matrix_synapse_deployment_method: docker
matrix_synapse_supervision_method: docker
roles:
- role: geerlingguy.pip
pip_install_packages:
- name: docker
- role: geerlingguy.docker
- role: geerlingguy.postgresql
postgresql_databases:
- name: "{{ dbname }}"
postgresql_users:
- name: "{{ dbuser }}"
password: "{{ dbpw }}"
postgresql_global_config_options:
- option: listen_addresses
value: "172.17.0.1"
postgresql_hba_entries:
- { type: local, database: all, user: all, auth_method: trust }
- { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 }
- role: matrix-ansible-synapse
matrix_server_name: localhost
matrix_synapse_report_stats: false
matrix_synapse_pg_host: 172.17.0.1
matrix_synapse_pg_user: "{{ dbuser }}"
matrix_synapse_pg_pass: "{{ dbpw }}"
matrix_synapse_pg_db: "{{ dbname }}"
matrix_synapse_extra_config:
no_tls: true

View File

@ -0,0 +1,44 @@
---
- hosts: all
become: true
vars:
dbname: synapse
dbuser: synapse_user
dbpw: synapse_password
tasks:
- name: Flush handlers
meta: flush_handlers
- name: Check if the api returns the correct version
uri:
url: "http://localhost:8008/_matrix/federation/v1/version"
return_content: true
register: api_version
until: api_version.status == 200
retries: 10
delay: 2
- name: Check returned api version
fail:
msg: "Return value {{ api_version }} is not as expected {{ matrix_synapse_version }}"
when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version
roles:
- role: geerlingguy.pip
- role: geerlingguy.postgresql
postgresql_databases:
- name: "{{ dbname }}"
postgresql_users:
- name: "{{ dbuser }}"
password: "{{ dbpw }}"
postgresql_global_config_options:
- option: listen_addresses
value: "*"
- role: matrix-ansible-synapse
matrix_server_name: localhost
matrix_synapse_report_stats: false
matrix_synapse_pg_host: localhost
matrix_synapse_pg_user: "{{ dbuser }}"
matrix_synapse_pg_pass: "{{ dbpw }}"
matrix_synapse_pg_db: "{{ dbname }}"
matrix_synapse_extra_config:
no_tls: true

141
roles/synapse/vars/main.yml Normal file
View File

@ -0,0 +1,141 @@
---
matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}"
matrix_synapse_base_config:
server_name: "{{ matrix_server_name }}"
tls_certificate_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.crt"
tls_private_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.key"
acme:
enabled: false
url: https://acme-v01.api.letsencrypt.org/directory
port: 80
bind_addresses: ['::', '0.0.0.0']
reprovision_threshold: 30
no_tls: false
tls_fingerprints: []
pid_file: "{{ matrix_synapse_base_path }}/synapse.pid"
soft_file_limit: 0
use_presence: true
listeners:
- port: 8448
bind_addresses:
- '::'
- '0.0.0.0'
type: http
tls: true
x_forwarded: false
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
- port: 8008
tls: false
bind_addresses:
- '::'
- '0.0.0.0'
type: http
x_forwarded: false
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
database:
name: "psycopg2"
args:
user: "{{ matrix_synapse_pg_user }}"
password: "{{ matrix_synapse_pg_pass }}"
database: "{{ matrix_synapse_pg_db }}"
host: "{{ matrix_synapse_pg_host }}"
cp_min: 5
cp_max: 10
log_config: "{{ matrix_synapse_base_path }}/log.config"
event_cache_size: "10K"
rc_messages_per_second: 0.2
rc_message_burst_count: 10.0
federation_rc_window_size: 1000
federation_rc_sleep_limit: 10
federation_rc_sleep_delay: 500
federation_rc_reject_limit: 50
federation_rc_concurrent: 3
media_store_path: "{{ matrix_synapse_base_path }}/media_store"
uploads_path: "{{ matrix_synapse_base_path }}/uploads"
max_upload_size: "23M"
max_image_pixels: "32M"
dynamic_thumbnails: false
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 320
height: 240
method: scale
- width: 640
height: 480
method: scale
- width: 800
height: 600
method: scale
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
url_preview_url_blacklist:
- username: '*'
- netloc: 'google.com'
- netloc: '*.google.com'
- netloc: 'twitter.com'
- netloc: '*.twitter.com'
- netloc: 't.co'
- netloc: '*.t.co'
max_spider_size: "10M"
enable_registration: False
registration_shared_secret: >
"{{ registration_shared_secret_file.content | b64decode }}"
form_secret: "{{ form_secret_file.content | b64decode }}"
bcrypt_rounds: 12
allow_guest_access: False
trusted_third_party_id_servers:
- matrix.org
- vector.im
autocreate_auto_join_rooms: true
enable_metrics: False
report_stats: "{{ matrix_synapse_report_stats }}"
room_invite_state_types:
- "m.room.join_rules"
- "m.room.canonical_alias"
- "m.room.avatar"
- "m.room.name"
app_service_config_files: []
track_appservice_user_ips: False
macaroon_secret_key: "{{ macaroon_file.content | b64decode }}"
expire_access_token: False
signing_key_path: "{{ matrix_synapse_signing_key_path }}"
old_signing_keys: {}
key_refresh_interval: "1d" # 1 Day.
# TODO: More servers should be added
perspectives:
servers:
"matrix.org":
verify_keys:
"ed25519:auto":
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
password_config:
enabled: true
push:
include_content: false
enable_group_creation: true
alias_creation_rules:
- user_id: "*"
alias: "*"
action: allow

11
setup.yml Normal file
View File

@ -0,0 +1,11 @@
---
- hosts:
- synapse
roles:
- geerlingguy.pip
- import_playbook: postgres.yml
# todo: create synapse user
- import_playbook: synapse.yml

29
synapse.yml Normal file
View File

@ -0,0 +1,29 @@
---
- hosts: synapse
# todo: create user for synapse
vars:
# matrix_synapse_version: "v1.3.1"
# localhosts causes certificate generation bugs
# matrix_server_name: localhost
matrix_server_name: dev
matrix_synapse_deployment_method: pip
matrix_synapse_baseurl: "https://{{ matrix_server_name }}"
matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key"
matrix_synapse_pg_host: localhost
matrix_synapse_pg_user: "{{ synapse_dbuser }}"
matrix_synapse_pg_pass: "{{ synapse_dbpw }}"
matrix_synapse_pg_db: "{{ synapse_dbname }}"
matrix_synapse_report_stats: false # Report stats to matrix.org?
matrix_synapse_extra_config: # no_tls:true disables port 8448
no_tls: true
# If false:
# matrix_synapse_tls_cert: ""
# matrix_synapse_tls_key: ""
# pre_tasks:
# tasks:
roles:
- synapse

View File

@ -1,70 +0,0 @@
# This compose file is compatible with Compose itself, it might need some
# adjustments to run properly with stack.
version: '3'
services:
{# matrix_synapse_version: "v1.5.1-py3"
# matrix_synapse_version: "v1.5.1"
matrix_server_name: matrix-sonic-beta.local
matrix_synapse_pg_host: synapse-postgres
matrix_synapse_pg_user: ""
matrix_synapse_pg_pass: ""
matrix_synapse_pg_db: " #}
synapse:
{# build:
context: ../..
dockerfile: docker/Dockerfile #}
image: "docker.io/matrixdotorg/synapse: {{ matrix_synapse_version }}"
# Since synapse does not retry to connect to the database, restart upon
# failure
restart: unless-stopped
# See the readme for a full documentation of the environment settings
environment:
- SYNAPSE_CONFIG_PATH={{ matrix_synapse_config_path }}
volumes:
# You may either store all the files in a local folder
- ./matrix-config:/etc/matrix-synapse
- ./files:/data
# .. or you may split this between different storage points
# - ./files:/data
# - /path/to/ssd:/data/uploads
# - /path/to/large_hdd:/data/media
depends_on:
- db
# In order to expose Synapse, remove one of the following, you might for
# instance expose the TLS port directly:
ports:
- 8008:8008/tcp
labels:
{# # The following lines are valid for Traefik version 1.x:
- traefik.enable=true
- traefik.frontend.rule=Host:my.matrix.Host
- traefik.port=8008
# Alternatively, for Traefik version 2.0:
- traefik.enable=true
- traefik.http.routers.http-synapse.entryPoints=http
- traefik.http.routers.http-synapse.rule=Host(`my.matrix.host`)
- traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
- traefik.http.routers.http-synapse.middlewares=https_redirect
- traefik.http.routers.https-synapse.entryPoints=https
- traefik.http.routers.https-synapse.rule=Host(`my.matrix.host`)
- traefik.http.routers.https-synapse.service=synapse
- traefik.http.routers.https-synapse.tls=true
- traefik.http.services.synapse.loadbalancer.server.port=8008
- traefik.http.routers.https-synapse.tls.certResolver=le-ssl #}
db:
image: docker.io/postgres:10-alpine
# Change that password, of course!
environment:
- POSTGRES_USER={{ matrix_synapse_db_name }}
- POSTGRES_PASSWORD={{ matrix_synapse_pg_pass }}
volumes:
# You may store the database tables in a local folder..
- ./schemas:/var/lib/postgresql/data
# .. or store them on some high performance storage for better results
# - /path/to/ssd/storage:/var/lib/postgresql/data

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

1
website.yml Normal file
View File

@ -0,0 +1 @@
# Static site deployment with Hugo?