From 236d813994acd076ce96d764d569ee6bb3da98f9 Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Wed, 31 May 2023 21:35:04 -0400 Subject: add synapse role --- roles/synapse/defaults/main.yml | 58 +++++++++++++ roles/synapse/handlers/main.yml | 4 + roles/synapse/meta/main.yml | 5 ++ roles/synapse/tasks/database.yml | 21 +++++ roles/synapse/tasks/element.yml | 17 ++++ roles/synapse/tasks/freeipa.yml | 37 +++++++++ roles/synapse/tasks/main.yml | 67 +++++++++++++++ .../etc/systemd/system/synapse.service.j2 | 42 ++++++++++ .../templates/var/lib/synapse/homeserver.yaml.j2 | 96 ++++++++++++++++++++++ .../templates/var/lib/synapse/logging.config.j2 | 23 ++++++ .../templates/var/www/element/config.json.j2 | 45 ++++++++++ roles/synapse/vars/main.yml | 47 +++++++++++ 12 files changed, 462 insertions(+) create mode 100644 roles/synapse/defaults/main.yml create mode 100644 roles/synapse/handlers/main.yml create mode 100644 roles/synapse/meta/main.yml create mode 100644 roles/synapse/tasks/database.yml create mode 100644 roles/synapse/tasks/element.yml create mode 100644 roles/synapse/tasks/freeipa.yml create mode 100644 roles/synapse/tasks/main.yml create mode 100644 roles/synapse/templates/etc/systemd/system/synapse.service.j2 create mode 100644 roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 create mode 100644 roles/synapse/templates/var/lib/synapse/logging.config.j2 create mode 100644 roles/synapse/templates/var/www/element/config.json.j2 create mode 100644 roles/synapse/vars/main.yml (limited to 'roles/synapse') diff --git a/roles/synapse/defaults/main.yml b/roles/synapse/defaults/main.yml new file mode 100644 index 0000000..230871b --- /dev/null +++ b/roles/synapse/defaults/main.yml @@ -0,0 +1,58 @@ +synapse_version: 1.84.1 +synapse_ldap_version: 0.2.2 +synapse_element_version: 1.11.31 +synapse_local_client_port: 8008 +synapse_local_federation_port: 8009 +synapse_client_port: 8443 +synapse_federation_port: 8448 + +synapse_user: s-synapse +synapse_access_group: role-matrix-access + +synapse_db_host: '{{ postgresql_host }}' +synapse_db_name: synapse + +synapse_sysaccount_username: synapse +#synapse_sysaccount_password + +synapse_domain: '{{ email_domain }}' + +synapse_server_name: '{{ ansible_fqdn }}' + +#synapse_registration_shared_secret +#synapse_macaroon_secret_key +#synapse_form_secret + +synapse_turn_host: '{{ coturn_realm }}' +synapse_turn_secret: '{{ coturn_auth_secret }}' + +synapse_enable_email_notifications: yes +synapse_email_from: 'Matrix ' + +synapse_enable_registration: no + +synapse_max_upload_size: 50m + +synapse_auto_join_rooms: [] + +synapse_url_preview_whitelist: [] +synapse_url_preview_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' diff --git a/roles/synapse/handlers/main.yml b/roles/synapse/handlers/main.yml new file mode 100644 index 0000000..36abf64 --- /dev/null +++ b/roles/synapse/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart synapse + systemd: + name: synapse + state: restarted diff --git a/roles/synapse/meta/main.yml b/roles/synapse/meta/main.yml new file mode 100644 index 0000000..b06a498 --- /dev/null +++ b/roles/synapse/meta/main.yml @@ -0,0 +1,5 @@ +dependencies: + - role: freeipa_system_account + system_account_username: '{{ synapse_sysaccount_username }}' + system_account_password: '{{ synapse_sysaccount_password }}' + diff --git a/roles/synapse/tasks/database.yml b/roles/synapse/tasks/database.yml new file mode 100644 index 0000000..0494882 --- /dev/null +++ b/roles/synapse/tasks/database.yml @@ -0,0 +1,21 @@ +- name: create database + postgresql_db: + name: '{{ synapse_db_name }}' + encoding: UTF-8 + lc_collate: C + lc_ctype: C + template: template0 + state: present + delegate_to: "{{ postgresql_inventory_host }}" + become: yes + become_user: postgres + +- name: create database user + postgresql_user: + name: '{{ synapse_user }}' + db: '{{ synapse_db_name }}' + priv: ALL + state: present + delegate_to: "{{ postgresql_inventory_host }}" + become: yes + become_user: postgres diff --git a/roles/synapse/tasks/element.yml b/roles/synapse/tasks/element.yml new file mode 100644 index 0000000..cfc8eff --- /dev/null +++ b/roles/synapse/tasks/element.yml @@ -0,0 +1,17 @@ +- name: create element webroot + file: + path: '{{ synapse_element_webroot }}' + state: directory + +- name: extract element tarball + unarchive: + src: '{{ synapse_element_url }}' + remote_src: yes + dest: '{{ synapse_element_webroot }}' + extra_opts: + - '--strip-components=1' + +- name: generate element configuration + template: + src: '{{ synapse_element_webroot[1:] }}/config.json.j2' + dest: '{{ synapse_element_webroot }}/config.json' diff --git a/roles/synapse/tasks/freeipa.yml b/roles/synapse/tasks/freeipa.yml new file mode 100644 index 0000000..7e6cc02 --- /dev/null +++ b/roles/synapse/tasks/freeipa.yml @@ -0,0 +1,37 @@ +- name: create user + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ synapse_user }}' + loginshell: /sbin/nologin + homedir: '{{ synapse_home }}' + givenname: Synapse + sn: Service Account + state: present + run_once: yes + +- name: retrieve user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ synapse_user }}' + keytab_path: '{{ synapse_keytab }}' + +- name: configure gssproxy for kerberized postgres + include_role: + name: gssproxy_client + vars: + gssproxy_name: synapse + gssproxy_section: service/synapse + gssproxy_client_keytab: '{{ synapse_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: '{{ synapse_user }}' + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ synapse_access_group }}' + nonposix: yes + state: present + run_once: yes diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml new file mode 100644 index 0000000..bf0002d --- /dev/null +++ b/roles/synapse/tasks/main.yml @@ -0,0 +1,67 @@ +- name: install packages + dnf: + name: '{{ synapse_packages }}' + state: present + +- import_tasks: freeipa.yml + +- name: create home directory + file: + path: '{{ item }}' + owner: '{{ synapse_user }}' + group: '{{ synapse_user }}' + mode: 0700 + state: directory + loop: + - '{{ synapse_home }}' + - '{{ synapse_venv }}' + +- name: install synapse + pip: + name: '{{ synapse_pip_packages }}' + virtualenv: '{{ synapse_venv }}' + state: latest + become: yes + become_user: '{{ synapse_user }}' + +- name: generate synapse configuration + template: + src: '{{ synapse_home[1:] }}/{{ item }}.j2' + dest: '{{ synapse_home }}/{{ item }}' + owner: '{{ synapse_user }}' + group: '{{ synapse_user }}' + mode: 0600 + notify: restart synapse + loop: + - homeserver.yaml + - logging.config + +- name: generate signing key + shell: + cmd: >- + source {{ synapse_venv }}/bin/activate && + python -m synapse.app.homeserver --config-path {{ synapse_home }}/homeserver.yaml --generate-keys + creates: '{{ synapse_home }}/{{ synapse_domain }}.signing.key' + become: yes + become_user: '{{ synapse_user }}' + +- name: create systemd unit + template: + src: etc/systemd/system/synapse.service.j2 + dest: /etc/systemd/system/synapse.service + notify: restart synapse + +- name: reload systemd daemons + systemd: + daemon_reload: yes + +- import_tasks: database.yml + +- name: enable systemd unit + systemd: + name: synapse + enabled: yes + state: started + +- import_tasks: element.yml + tags: element diff --git a/roles/synapse/templates/etc/systemd/system/synapse.service.j2 b/roles/synapse/templates/etc/systemd/system/synapse.service.j2 new file mode 100644 index 0000000..84ab9f3 --- /dev/null +++ b/roles/synapse/templates/etc/systemd/system/synapse.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Description=Synapse Matrix Homeserver +Documentation=https://github.com/matrix-org/synapse +Wants=gssproxy.service +After=network-online.target nss-user-lookup.target gssproxy.service + +[Service] +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths={{ synapse_home }} + +User={{ synapse_user }} +Group={{ synapse_user }} + +Type=notify +NotifyAccess=main +WorkingDirectory={{ synapse_home }} +Environment=GSS_USE_PROXY=yes +EnvironmentFile=-/etc/sysconfig/synapse + +ExecStart={{ synapse_venv }}/bin/python -m synapse.app.homeserver --config-path={{ synapse_home }}/homeserver.yaml +ExecReload=/bin/kill -HUP $MAINPID + +Restart=always +RestartSec=3 + +SyslogIdentifier=synapse + +[Install] +WantedBy=multi-user.target diff --git a/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 b/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 new file mode 100644 index 0000000..8aefce7 --- /dev/null +++ b/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 @@ -0,0 +1,96 @@ +server_name: {{ synapse_domain }} + +pid_file: {{ synapse_runtime_dir }}/homeserver.pid + +public_baseurl: https://{{ synapse_server_name }}:{{ synapse_client_port }}/ + +listeners: + - port: {{ synapse_local_client_port }} + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client] + compress: false + + - port: {{ synapse_local_federation_port }} + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [federation] + compress: false + +email: + smtp_host: 127.0.0.1 + smtp_port: 25 + enable_tls: false + notif_from: {{ synapse_email_from | to_yaml }} + enable_notifs: {{ synapse_enable_email_notifications | bool | to_yaml }} + +client_base_url: https://{{ synapse_server_name }} + +database: + name: psycopg2 + args: + user: '{{ synapse_user }}' + database: '{{ synapse_db_name }}' + host: '{{ synapse_db_host }}' + cp_min: 5 + cp_max: 10 + keepalives_idle: 10 + keepalives_interval: 10 + keepalives_count: 3 + +log_config: {{ synapse_home }}/logging.config + +media_store_path: {{ synapse_home }}/media_store +max_upload_size: {{ synapse_max_upload_size | human_to_bytes }} + +url_preview_enabled: true +url_preview_ip_range_blacklist: {{ synapse_url_preview_blacklist | to_yaml }} +url_preview_ip_range_whitelist: {{ synapse_url_preview_whitelist | to_yaml }} + +enable_registration: {{ synapse_enable_registration | bool | to_yaml }} +registration_shared_secret: {{ synapse_registration_shared_secret | to_yaml }} + +{% if synapse_auto_join_rooms %} +auto_join_rooms: +{% for room in synapse_auto_join_rooms %} + - '#{{ room }}:{{ synapse_domain }}' +{% endfor %} +{% endif %} +autocreate_auto_join_rooms: true +autocreate_auto_join_rooms_federated: false + +turn_uris: ['turn:{{ synapse_turn_host }}'] +turn_shared_secret: {{ synapse_turn_secret }} +turn_allow_guests: false + +report_stats: false + +macaroon_secret_key: {{ synapse_macaroon_secret_key | to_yaml }} +form_secret: {{ synapse_form_secret | to_yaml }} + +signing_key_path: {{ synapse_home }}/{{ synapse_domain }}.signing.key + +trusted_key_servers: + - server_name: matrix.org +suppress_key_server_warning: true + +modules: + - module: ldap_auth_provider.LdapAuthProviderModule + config: + enabled: true + uri: {{ freeipa_ldap_uri | split | to_yaml }} + start_tls: true + base: {{ freeipa_user_basedn }} + attributes: + uid: matrixUsername + mail: mail + name: matrixUsername + bind_dn: uid={{ synapse_sysaccount_username }},{{ freeipa_sysaccount_basedn }} + bind_password: {{ synapse_sysaccount_password }} + filter: '(memberOf=cn={{ synapse_access_group }},{{ freeipa_group_basedn }})' diff --git a/roles/synapse/templates/var/lib/synapse/logging.config.j2 b/roles/synapse/templates/var/lib/synapse/logging.config.j2 new file mode 100644 index 0000000..216e9e8 --- /dev/null +++ b/roles/synapse/templates/var/lib/synapse/logging.config.j2 @@ -0,0 +1,23 @@ +version: 1 + +formatters: + journal_fmt: + format: '%(name)s: [%(request)s] %(message)s' + +filters: + context: + (): synapse.logging.context.LoggingContextFilter + request: "" + +handlers: + journal: + class: systemd.journal.JournalHandler + formatter: journal_fmt + filters: [context] + SYSLOG_IDENTIFIER: synapse + +root: + level: INFO + handlers: [journal] + +disable_existing_loggers: False diff --git a/roles/synapse/templates/var/www/element/config.json.j2 b/roles/synapse/templates/var/www/element/config.json.j2 new file mode 100644 index 0000000..3556704 --- /dev/null +++ b/roles/synapse/templates/var/www/element/config.json.j2 @@ -0,0 +1,45 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://{{ synapse_server_name }}:{{ synapse_client_port }}", + "server_name": "{{ synapse_domain }}" + }, + "m.identity_server": { + "base_url": null + } + }, + "disable_custom_urls": true, + "disable_guests": true, + "disable_login_language_selector": false, + "disable_3pid_login": true, + "brand": "Element", + "integrations_ui_url": null, + "integrations_rest_url": null, + "integrations_widgets_urls": null, + "bug_report_endpoint_url": null, + "uisi_autorageshake_app": "element-auto-uisi", + "default_country_code": "US", + "show_labs_settings": false, + "features": {}, + "default_federate": true, + "default_theme": "light", + "room_directory": { + "servers": ["{{ synapse_domain }}", "matrix.org"] + }, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "setting_defaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferred_domain": "meet.element.io" + }, + "element_call": { + "url": "https://call.element.io", + "participant_limit": 8, + "brand": "Element Call" + }, + "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx" +} diff --git a/roles/synapse/vars/main.yml b/roles/synapse/vars/main.yml new file mode 100644 index 0000000..43c04d9 --- /dev/null +++ b/roles/synapse/vars/main.yml @@ -0,0 +1,47 @@ +synapse_packages: + - libtiff-devel + - libjpeg-devel + - libzip-devel + - freetype-devel + - libwebp-devel + - libxml2-devel + - libxslt-devel + - libpq-devel + - python3-virtualenv + - libffi-devel + - openssl-devel + - python3-devel + - libicu-devel + - python3-psycopg2 + - systemd-devel + - gcc + +synapse_pip_packages: + - 'matrix-synapse[postgres]=={{ synapse_version }}' + - 'matrix-synapse-ldap3=={{ synapse_ldap_version }}' + - lxml + - systemd-python + +synapse_home: /var/lib/synapse +synapse_keytab: /var/lib/gssproxy/clients/{{ synapse_user }}.keytab +synapse_venv: '{{ synapse_home }}/venv' +synapse_runtime_dir: /run/synapse +synapse_element_url: https://github.com/vector-im/element-web/releases/download/v{{ synapse_element_version }}/element-v{{ synapse_element_version }}.tar.gz +synapse_element_webroot: /var/www/element + +synapse_apache_client_config: | + LimitRequestBody {{ synapse_max_upload_size | human_to_bytes }} + AllowEncodedSlashes NoDecode + {{ apache_proxy_config }} + + ProxyPass http://127.0.0.1:{{ synapse_local_client_port }}/ nocanon + ProxyPassReverse http://127.0.0.1:{{ synapse_local_client_port }}/ + + +synapse_apache_federation_config: | + AllowEncodedSlashes NoDecode + {{ apache_proxy_config }} + + ProxyPass http://127.0.0.1:{{ synapse_local_federation_port }}/ nocanon + ProxyPassReverse http://127.0.0.1:{{ synapse_local_federation_port }}/ + -- cgit