From 3ede224d7b3bc95f45c73a73375c0ad1b911fa1c Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Fri, 13 Dec 2024 20:53:47 -0500
Subject: add matrix hostclass

---
 .../matrix-synapse/homeserver.yaml.matrix_server   | 19 +++---
 .../etc/matrix-synapse/log.config.matrix_server    | 36 ++++++++++
 .../etc/matrix-synapse/signing.key.matrix_server   |  1 +
 .../usr/local/etc/nginx/vhosts.conf.matrix_server  | 46 +++++++++++++
 .../local/etc/poudriere.d/pkglist.pkg_repository   |  1 +
 files/usr/local/etc/sudoers.d/acme.matrix_server   |  1 +
 .../local/www/element/config.json.matrix_server    | 45 +++++++++++++
 scripts/hostclass/matrix_server                    | 78 ++++++++++++++++++++--
 site                                               |  2 +-
 vars/hostclass/matrix_server                       |  7 ++
 vars/hostclass/xmpp_server                         |  1 -
 11 files changed, 219 insertions(+), 18 deletions(-)
 create mode 100644 files/usr/local/etc/matrix-synapse/log.config.matrix_server
 create mode 100644 files/usr/local/etc/matrix-synapse/signing.key.matrix_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.matrix_server
 create mode 100644 files/usr/local/etc/sudoers.d/acme.matrix_server
 create mode 100644 files/usr/local/www/element/config.json.matrix_server
 create mode 100644 vars/hostclass/matrix_server

diff --git a/files/usr/local/etc/matrix-synapse/homeserver.yaml.matrix_server b/files/usr/local/etc/matrix-synapse/homeserver.yaml.matrix_server
index d52c351..d255bd3 100644
--- a/files/usr/local/etc/matrix-synapse/homeserver.yaml.matrix_server
+++ b/files/usr/local/etc/matrix-synapse/homeserver.yaml.matrix_server
@@ -1,6 +1,6 @@
 server_name: ${synapse_domain}
 pid_file: /var/run/matrix-synapse/homeserver.pid
-public_baseurl: https://${synapse_public_fqdn}:${synapse_client_port}/
+public_baseurl: https://${synapse_public_fqdn}/
 
 listeners:
   - port: ${synapse_local_client_port}
@@ -32,9 +32,9 @@ client_base_url: https://${synapse_public_fqdn}
 database:
   name: psycopg2
   args:
-    user: ${synapse_db_user}
-    database: ${synapse_username}
-    host: ${synapse_db_host}
+    user: ${synapse_username}
+    database: ${synapse_dbname}
+    host: ${synapse_dbhost}
     cp_min: 5
     cp_max: 10
     keepalives_idle: 10
@@ -78,15 +78,15 @@ autocreate_auto_join_rooms: true
 autocreate_auto_join_rooms_federated: false
 
 turn_uris: ['turn:${synapse_turn_host}']
-turn_shared_secret: ${synapse_turn_secret}
+turn_shared_secret: "${synapse_turn_secret}"
 turn_allow_guests: false
 
 report_stats: false
 
-macaroon_secret_key: ${synapse_macaroon_secret_key}
-form_secret: ${synapse_form_secret}
+macaroon_secret_key: "${synapse_macaroon_secret_key}"
+form_secret: "${synapse_form_secret}"
 
-signing_key_path: ${synapse_conf_dir}/${synapse_domain}.signing.key
+signing_key_path: ${synapse_conf_dir}/signing.key
 
 trusted_key_servers:
   - server_name: matrix.org
@@ -96,7 +96,8 @@ modules:
   - module: ldap_auth_provider.LdapAuthProviderModule
     config:
       enabled: true
-      uri: ${ldap_uri}
+      uri:
+$(printf -- '         - ldap://%s:389\n' $ldap_hosts)
       start_tls: true
       base: ${users_basedn}
       attributes:
diff --git a/files/usr/local/etc/matrix-synapse/log.config.matrix_server b/files/usr/local/etc/matrix-synapse/log.config.matrix_server
new file mode 100644
index 0000000..c131919
--- /dev/null
+++ b/files/usr/local/etc/matrix-synapse/log.config.matrix_server
@@ -0,0 +1,36 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+
+handlers:
+  file:
+    class: logging.handlers.RotatingFileHandler
+    formatter: precise
+    filename: /var/log/matrix-synapse/homeserver.log
+    maxBytes: 104857600
+    backupCount: 10
+    filters: [context]
+    level: INFO
+    encoding: utf8
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    filters: [context]
+
+loggers:
+    synapse:
+        level: INFO
+
+    synapse.storage.SQL:
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [file, console]
diff --git a/files/usr/local/etc/matrix-synapse/signing.key.matrix_server b/files/usr/local/etc/matrix-synapse/signing.key.matrix_server
new file mode 100644
index 0000000..896f036
--- /dev/null
+++ b/files/usr/local/etc/matrix-synapse/signing.key.matrix_server
@@ -0,0 +1 @@
+${synapse_signing_key}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.matrix_server b/files/usr/local/etc/nginx/vhosts.conf.matrix_server
new file mode 100644
index 0000000..4819b4d
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.matrix_server
@@ -0,0 +1,46 @@
+server {
+  listen ${synapse_federation_port}      ssl default_server;
+  listen [::]:${synapse_federation_port} ssl default_server;
+
+  http2 on;
+
+  ssl_certificate         ${synapse_https_cert};
+  ssl_certificate_key     ${synapse_https_key};
+  ssl_trusted_certificate ${synapse_https_cacert};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_pass http://127.0.0.1:${synapse_local_federation_port};
+  }
+}
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:433 ssl default_server;
+
+  http2 on;
+
+  ssl_certificate         ${synapse_https_cert};
+  ssl_certificate_key     ${synapse_https_key};
+  ssl_trusted_certificate ${synapse_https_cacert};
+
+  root ${synapse_element_webroot};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+  client_max_body_size ${synapse_upload_sizelimit};
+
+  location ~ ^(/_matrix|/_synapse/client) {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_pass http://127.0.0.1:${synapse_local_client_port};
+  }
+}
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index a310d67..0af0716 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -159,6 +159,7 @@ textproc/py-docutils
 textproc/py-markdown
 textproc/py-pygments
 www/chromium
+www/element-web
 www/fcgiwrap
 www/firefox
 www/linux-widevine-cdm
diff --git a/files/usr/local/etc/sudoers.d/acme.matrix_server b/files/usr/local/etc/sudoers.d/acme.matrix_server
new file mode 100644
index 0000000..9ca89b8
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/acme.matrix_server
@@ -0,0 +1 @@
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
diff --git a/files/usr/local/www/element/config.json.matrix_server b/files/usr/local/www/element/config.json.matrix_server
new file mode 100644
index 0000000..94bcbb1
--- /dev/null
+++ b/files/usr/local/www/element/config.json.matrix_server
@@ -0,0 +1,45 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://${synapse_public_fqdn}",
+            "server_name": "${synapse_domain}"
+        },
+        "m.identity_server": {
+            "base_url": null
+        }
+    },
+    "disable_custom_urls": true,
+    "disable_guests": true,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": true,
+    "force_verification": false,
+    "brand": "Element",
+    "integrations_ui_url": null,
+    "integrations_rest_url": null,
+    "integrations_widgets_urls": null,
+    "default_widget_container_height": 280,
+    "default_country_code": "US",
+    "show_labs_settings": false,
+    "features": {},
+    "default_federate": true,
+    "default_theme": "light",
+    "room_directory": {
+        "servers": ["${synapse_domain}", "matrix.org"]
+    },
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferred_domain": "meet.element.io"
+    },
+    "element_call": {
+        "url": "https://call.element.io",
+        "participant_limit": 8,
+        "brand": "Element Call"
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}
diff --git a/scripts/hostclass/matrix_server b/scripts/hostclass/matrix_server
index df22c3b..ae8f7a7 100644
--- a/scripts/hostclass/matrix_server
+++ b/scripts/hostclass/matrix_server
@@ -6,11 +6,7 @@
 : ${synapse_ldap_password:='changeme'}
 : ${synapse_domain:="$email_domain"}
 : ${synapse_public_fqdn:="$fqdn"}
-: ${synapse_local_client_port:='8008'}
-: ${synapse_local_federation_port:='8009'}
-: ${synapse_client_port:='8443'}
-: ${synapse_federation_port:='8448'}
-: ${synapse_mail_from:="Matrix <matrix-noreply@${email_domain}>"}
+: ${synapse_email_from:="Matrix <matrix-noreply@${email_domain}>"}
 : ${synapse_username:='s-synapse'}
 : ${synapse_local_media_retention:='365d'}
 : ${synapse_remote_media_retention:='90d'}
@@ -18,22 +14,90 @@
 : ${synapse_turn_host:="$turn_domain"}
 : ${synapse_turn_secret:="$turn_secret"}
 : ${synapse_access_role:='matrix-access'}
+: ${synapse_dbhost:="$postgres_host"}
+: ${synapse_dbname:='synapse'}
 
 synapse_db_dir=/var/db/matrix-synapse
 synapse_conf_dir=/usr/local/etc/matrix-synapse
 synapse_local_user=synapse
+synapse_dn="uid=${synapse_username},${robots_basedn}"
+synapse_client_keytab="${keytab_dir}/synapse.client.keytab"
+synapse_https_cacert="${acme_cert_dir}/nginx.ca.crt"
+synapse_https_cert="${acme_cert_dir}/nginx.crt"
+synapse_https_key="${acme_cert_dir}/nginx.key"
+synapse_local_client_port=8008
+synapse_local_federation_port=8009
+synapse_element_webroot=/usr/local/www/element
 
 # Install required packages.
 pkg install -y \
   py${python_version}-matrix-synapse \
   py${python_version}-matrix-synapse-ldap3 \
-  nginx
+  nginx \
+  element-web
+
+# Create ZFS dataset for HTTP upload files.
+create_dataset -o "mountpoint=${synapse_db_dir}" "${state_dataset}/synapse"
+install_directory -o "$synapse_local_user" -g wheel -m 0700 "$synapse_db_dir"
+
+# Create synapse principal.
+ldap_add "$synapse_dn" <<EOF
+objectClass: account
+objectClass: simpleSecurityObject
+uid: ${synapse_username}
+userPassword: {SSHA-512}
+EOF
+ldap_passwd "$synapse_dn" "$synapse_ldap_password"
+add_principal -nokey -x "dn=${synapse_dn}" "$synapse_username"
+
+ktadd -k "$synapse_client_keytab" "$synapse_username"
+chgrp "$synapse_local_user" "$synapse_client_keytab"
+chmod 640 "$synapse_client_keytab"
+synapse_uid=$(id -u "$synapse_local_user")
+install_directory -o "$synapse_local_user" -m 0700 "/var/krb5/user/${synapse_uid}"
+ln -snfv "$synapse_client_keytab" "/var/krb5/user/${synapse_uid}/client.keytab"
+
+# Create postgres user and database.
+postgres_create_role "$synapse_dbhost" "$synapse_username"
+postgres_create_database "$synapse_dbhost" "$synapse_dbname" "$synapse_username" UTF8 C
 
 # Generate synapse configuration.
 install_template -o "$synapse_local_user" -g "$synapse_local_user" -m 0600 \
   "${synapse_conf_dir}/homeserver.yaml" \
-  "${synapse_conf_dir}/${synapse_domain}.signing.key"
+  "${synapse_conf_dir}/signing.key"
 
 install_file -o "$synapse_local_user" -g "$synapse_local_user" -m 0644 \
   "${synapse_conf_dir}/log.config"
 
+# Configure nginx.
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
+sysrc -v nginx_enable=YES
+service nginx restart
+install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf
+
+# Retrieve webserver certificate via ACME.
+install_template -m 0600 /usr/local/etc/sudoers.d/acme
+acme_install_certificate \
+  -g "$nginx_user" \
+  -r 'sudo service nginx reload' \
+  nginx \
+  "$synapse_public_fqdn"
+
+# Now that we have the ACME certs, add the vhosts.
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
+service nginx restart
+
+# Enable and start daemons.
+sysrc -v synapse_enable=YES
+service synapse restart
+service nginx restart
+
+# Create access role.
+ldap_add "cn=${synapse_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${synapse_access_role}
+EOF
+
+# Generate element-web config file.
+install_template -m 0644 "${synapse_element_webroot}/config.json"
diff --git a/site b/site
index 5660006..83ccc5d 160000
--- a/site
+++ b/site
@@ -1 +1 @@
-Subproject commit 56600062da00d6e8f196b2b7688ef9adcb19d076
+Subproject commit 83ccc5dc50e40875782967b46132e73944938b0e
diff --git a/vars/hostclass/matrix_server b/vars/hostclass/matrix_server
new file mode 100644
index 0000000..08ee685
--- /dev/null
+++ b/vars/hostclass/matrix_server
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+synapse_federation_port=8448
+
+allowed_tcp_ports="ssh http https ${synapse_federation_port}"
+acme=true
+nginx_public=true
diff --git a/vars/hostclass/xmpp_server b/vars/hostclass/xmpp_server
index 8a3a20c..fb63bbe 100644
--- a/vars/hostclass/xmpp_server
+++ b/vars/hostclass/xmpp_server
@@ -6,4 +6,3 @@ prosody_s2s_tls_port=5270
 allowed_tcp_ports="ssh http https xmpp-client xmpp-server ${prosody_c2s_tls_port} ${prosody_s2s_tls_port}"
 acme=true
 nginx_public=true
-
-- 
cgit v1.2.3