From 236d813994acd076ce96d764d569ee6bb3da98f9 Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Wed, 31 May 2023 21:35:04 -0400
Subject: add synapse role

---
 inventory-example/10-hosts                   | 1 +
 inventory-example/20-by-hostname.yml         | 1 +
 inventory-example/40-groups                  | 3 +++
 inventory-example/group_vars/all/firefox.yml | 2 ++
 inventory-example/group_vars/all/freeipa.yml | 6 ++++++
 inventory-example/group_vars/all/nsd.yml     | 3 +++
 inventory-example/group_vars/all/synapse.yml | 8 ++++++++
 inventory-example/group_vars/all/vault.yml   | 9 +++++++++
 8 files changed, 33 insertions(+)
 create mode 100644 inventory-example/group_vars/all/synapse.yml

(limited to 'inventory-example')

diff --git a/inventory-example/10-hosts b/inventory-example/10-hosts
index d8c4cc6..90e1acf 100644
--- a/inventory-example/10-hosts
+++ b/inventory-example/10-hosts
@@ -35,6 +35,7 @@ dmz-www1        ip=10.10.19.4
 dmz-xmpp1       ip=10.10.19.5   cname=xmpp
 dmz-turn1       ip=10.10.19.6   cname=turn
 dmz-git1        ip=10.10.19.13
+dmz-matrix1     ip=10.10.19.14                   cores=4  ram=8g   disk=256g
 dmz-asterisk1   ip=10.10.14.10  cname=asterisk   cores=4
 
 [unmanaged]
diff --git a/inventory-example/20-by-hostname.yml b/inventory-example/20-by-hostname.yml
index 165bd37..db1ba15 100644
--- a/inventory-example/20-by-hostname.yml
+++ b/inventory-example/20-by-hostname.yml
@@ -41,3 +41,4 @@ groups:
   authoritative_nameservers: inventory_hostname is match('(dmz-)?dns[0-9]')
   turn_servers:              inventory_hostname is match('(dmz-)?turn[0-9]')
   asterisk_servers:          inventory_hostname is match('(dmz-)?asterisk[0-9]')
+  matrix_servers:            inventory_hostname is match('(dmz-)?matrix[0-9]')
diff --git a/inventory-example/40-groups b/inventory-example/40-groups
index d4646ad..098c743 100644
--- a/inventory-example/40-groups
+++ b/inventory-example/40-groups
@@ -65,6 +65,9 @@ rsyslog_forward = no
 [nagios_servers:vars]
 apache_gssapi = True
 
+[matrix_servers:vars]
+apache_ssl_listen_ports='[443,{{ synapse_client_port }},{{ synapse_federation_port }}]'
+
 [opnsense_firewalls:vars]
 ansible_python_interpreter = /usr/local/bin/python3
 
diff --git a/inventory-example/group_vars/all/firefox.yml b/inventory-example/group_vars/all/firefox.yml
index 5ebc61b..07d227b 100644
--- a/inventory-example/group_vars/all/firefox.yml
+++ b/inventory-example/group_vars/all/firefox.yml
@@ -49,6 +49,8 @@ firefox_managed_bookmarks:
     url: 'https://invidious.{{ domain }}'
   - name: Jellyfin
     url: 'https://jellyfin.{{ domain }}'
+  - name: Matrix
+    url: 'https://matrix.{{ domain }}'
   - name: Nagios
     url: 'https://nagios.{{ domain }}'
   - name: Nitter
diff --git a/inventory-example/group_vars/all/freeipa.yml b/inventory-example/group_vars/all/freeipa.yml
index 3501061..15b7259 100644
--- a/inventory-example/group_vars/all/freeipa.yml
+++ b/inventory-example/group_vars/all/freeipa.yml
@@ -12,6 +12,7 @@ freeipa_users:
     sn: Doe
     mail: john@example.com
     jid: john@example.com
+    mxid: johnnybravo
     mail_aliases:
       - john.nickname@example.com
       - john.alias@exmaple.com
@@ -21,12 +22,14 @@ freeipa_users:
     sn: Tables
     mail: btables@example.com
     jid: btables@example.com
+    mxid: aMatrixUsername
 
   - name: janedoe
     givenname: Jane
     sn: Doe
     mail: jane@example.com
     jid: jane@example.com
+    mxid: plainjane
 
 freeipa_groups:
   # built-in freeipa admin group - be careful!
@@ -125,6 +128,9 @@ freeipa_groups:
   - name: role-git-admin
     group: sysadmins
 
+  - name: role-matrix-access
+    group: doefamily
+
 freeipa_hbac_rules:
   - name: sysadmins_ssh_and_console_to_all
     description: allow sysadmins to ssh to all hosts
diff --git a/inventory-example/group_vars/all/nsd.yml b/inventory-example/group_vars/all/nsd.yml
index ff1afe6..d40351b 100644
--- a/inventory-example/group_vars/all/nsd.yml
+++ b/inventory-example/group_vars/all/nsd.yml
@@ -34,6 +34,7 @@ nsd_zones:
       xmpp1       IN  A      203.0.113.57
       turn1       IN  A      203.0.113.58
       pbx1        IN  A      203.0.113.59
+      matrix      IN  A      203.0.113.60
       www         IN  CNAME  www1
       xmpp        IN  CNAME  xmpp1
       conference  IN  CNAME  xmpp1
@@ -52,3 +53,5 @@ nsd_zones:
       _sip._udp                     IN  SRV  0  5  5060  pbx1
       _sip._tcp                     IN  SRV  0  5  5060  pbx1
       _sip._tls                     IN  SRV  0  5  5061  pbx1
+
+      _matrix._tcp                  IN  SRV  0  5  8448  matrix
diff --git a/inventory-example/group_vars/all/synapse.yml b/inventory-example/group_vars/all/synapse.yml
new file mode 100644
index 0000000..ac3b4d5
--- /dev/null
+++ b/inventory-example/group_vars/all/synapse.yml
@@ -0,0 +1,8 @@
+synapse_registration_shared_secret: '{{ vault_synapse_registration_shared_secret }}'
+synapse_macaroon_secret_key: '{{ vault_synapse_macaroon_secret_key }}'
+synapse_form_secret: '{{ vault_synapse_form_secret }}'
+synapse_sysaccount_password: '{{ vault_synapse_sysaccount_password }}'
+
+synapse_domain: example.com
+synapse_server_name: matrix.example.com
+synapse_enable_registration: no
diff --git a/inventory-example/group_vars/all/vault.yml b/inventory-example/group_vars/all/vault.yml
index c3e29c5..58b597a 100644
--- a/inventory-example/group_vars/all/vault.yml
+++ b/inventory-example/group_vars/all/vault.yml
@@ -117,8 +117,17 @@ vault_rspamd_dkim_keys:                  # generate with `rspamadm dkim_keygen`
     AAAAAAAAAAAAAAAAchangeme
     -----END RSA PRIVATE KEY-----
 
+
+# synapse
+vault_synapse_sysaccount_password: changeme
+vault_synapse_registration_shared_secret: changeme
+vault_synapse_macaroon_secret_key: changeme
+vault_synapse_form_secret: changeme
+
+
 # teddit
 vault_teddit_reddit_app_id: changeme
 
+
 # vaultwarden
 vault_vaultwarden_admin_token: changeme  # generate with `openssl rand -base64 48`
-- 
cgit