From 236d813994acd076ce96d764d569ee6bb3da98f9 Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Wed, 31 May 2023 21:35:04 -0400 Subject: add synapse role --- roles/apache/README.md | 2 + roles/apache/defaults/main.yml | 6 ++ roles/apache/tasks/main.yml | 14 +++- .../apache/templates/etc/httpd/conf.d/ssl.conf.j2 | 4 +- .../apache/templates/etc/httpd/conf/httpd.conf.j2 | 4 +- roles/apache_vhost/README.md | 4 +- roles/apache_vhost/defaults/main.yml | 3 +- .../templates/etc/httpd/conf.d/vhost.conf.j2 | 14 ++-- .../usr/local/share/dirsrv/schema/matrix.ldif | 3 + roles/freeipa_server/tasks/custom_schema.yml | 62 +++++++++++++- roles/synapse/defaults/main.yml | 58 +++++++++++++ roles/synapse/handlers/main.yml | 4 + roles/synapse/meta/main.yml | 5 ++ roles/synapse/tasks/database.yml | 21 +++++ roles/synapse/tasks/element.yml | 17 ++++ roles/synapse/tasks/freeipa.yml | 37 +++++++++ roles/synapse/tasks/main.yml | 67 +++++++++++++++ .../etc/systemd/system/synapse.service.j2 | 42 ++++++++++ .../templates/var/lib/synapse/homeserver.yaml.j2 | 96 ++++++++++++++++++++++ .../templates/var/lib/synapse/logging.config.j2 | 23 ++++++ .../templates/var/www/element/config.json.j2 | 45 ++++++++++ roles/synapse/vars/main.yml | 47 +++++++++++ 22 files changed, 560 insertions(+), 18 deletions(-) create mode 100644 roles/freeipa_server/files/usr/local/share/dirsrv/schema/matrix.ldif create mode 100644 roles/synapse/defaults/main.yml create mode 100644 roles/synapse/handlers/main.yml create mode 100644 roles/synapse/meta/main.yml create mode 100644 roles/synapse/tasks/database.yml create mode 100644 roles/synapse/tasks/element.yml create mode 100644 roles/synapse/tasks/freeipa.yml create mode 100644 roles/synapse/tasks/main.yml create mode 100644 roles/synapse/templates/etc/systemd/system/synapse.service.j2 create mode 100644 roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 create mode 100644 roles/synapse/templates/var/lib/synapse/logging.config.j2 create mode 100644 roles/synapse/templates/var/www/element/config.json.j2 create mode 100644 roles/synapse/vars/main.yml (limited to 'roles') diff --git a/roles/apache/README.md b/roles/apache/README.md index 77f0ec9..ce203d3 100644 --- a/roles/apache/README.md +++ b/roles/apache/README.md @@ -14,6 +14,8 @@ This role **accepts** the following variables: Variable | Default | Description ---------------------------------|-----------|------------ +`apache_listen_ports` | `[80]` | HTTP ports to listen on +`apache_ssl_listen_ports` | `[443]` | HTTPS ports to listen on `apache_use_nfs` | no | Value of the `httpd_use_nfs` SELinux boolean `apache_can_network_relay` | yes | Value of the `httpd_can_network_relay` SELinux boolean `apache_can_network_connect` | no | Value of the `httpd_can_network_connect` SELinux boolean diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml index b0605ba..b5dad87 100644 --- a/roles/apache/defaults/main.yml +++ b/roles/apache/defaults/main.yml @@ -6,6 +6,12 @@ apache_can_connect_ldap: no apache_can_sendmail: no apache_gssapi: no +apache_listen_ports: + - 80 + +apache_ssl_listen_ports: + - 443 + apache_sysaccount_username: apache apache_backup_dirs: [] diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 4892782..dacd9cb 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -45,6 +45,14 @@ import_tasks: gssapi.yml when: apache_gssapi or apache_use_nfs +- name: set http_port_t selinux context for http ports + seport: + ports: '{{ apache_listen_ports + apache_ssl_listen_ports }}' + proto: tcp + setype: http_port_t + state: present + tags: selinux + - name: enable apache systemd: name: httpd @@ -53,11 +61,9 @@ - name: open firewall ports firewalld: - service: '{{ item }}' + port: '{{ item }}/tcp' permanent: yes immediate: yes state: enabled - loop: - - http - - https + loop: '{{ apache_listen_ports + apache_ssl_listen_ports }}' tags: firewalld diff --git a/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 index eb85a29..31e91d1 100644 --- a/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 +++ b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 @@ -1,4 +1,6 @@ -Listen 443 https +{% for port in apache_ssl_listen_ports %} +Listen {{ port }} https +{% endfor %} SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog diff --git a/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 index d34c4a9..6e52049 100644 --- a/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 +++ b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 @@ -1,6 +1,8 @@ ServerRoot "/etc/httpd" -Listen 80 +{% for port in apache_listen_ports %} +Listen {{ port }} +{% endfor %} Include conf.modules.d/*.conf diff --git a/roles/apache_vhost/README.md b/roles/apache_vhost/README.md index 186ef4b..7d05b2e 100644 --- a/roles/apache_vhost/README.md +++ b/roles/apache_vhost/README.md @@ -18,13 +18,15 @@ Variable | Default | Desc `apache_server_name` | `{{ ansible_fqdn }}` | [ServerName](https://httpd.apache.org/docs/2.4/mod/core.html#servername) value `apache_server_aliases` | `[]` if `apache_letsencrypt`, else `cnames` | [ServerAlias](https://httpd.apache.org/docs/2.4/mod/core.html#serveralias) values `apache_config_name` | `{{ apache_server_name }}` | Name of config file in `/etc/httpd/conf.d` -`apache_listen` | `*` | Network interface for VirtualHost +`apache_listen_ip` | `*` | Listening IP for virtual host +`apache_listen_port` | `80` for HTTP, `443` for HTTPS | Listening port for virtual host `apache_default_vhost` | no | Make this VirtualHost the default if no other VirtualHosts match the request `apache_document_root` |   | Path to [DocumentRoot](https://httpd.apache.org/docs/2.4/mod/core.html#documentroot) `apache_autoindex` | no | Automatically generate file listings `apache_use_ssl` | yes | Enable HTTPS `apache_letsencrypt` | no | Use LetsEncrypt (rather than FreeIPA) to acquire certificates `apache_redirect_to_https` | yes | 301 redirect HTTP requests to HTTPS +`apache_ssl_only` | yes | Disable HTTP listener `apache_use_http2` | yes | Enable HTTP2 protocol `apache_canonical_hostname` |   | 301 redirect all requests to this hostname `apache_config` |   | VirtualHost config block (see usage below) diff --git a/roles/apache_vhost/defaults/main.yml b/roles/apache_vhost/defaults/main.yml index 9a91522..c941e8c 100644 --- a/roles/apache_vhost/defaults/main.yml +++ b/roles/apache_vhost/defaults/main.yml @@ -4,7 +4,7 @@ apache_server_aliases: '{{ [] if apache_letsencrypt else cnames }}' apache_default_vhost: no apache_config_name: '{{ apache_server_name }}' -apache_listen: '*' +apache_listen_ip: '*' apache_autoindex: no @@ -12,5 +12,6 @@ apache_letsencrypt: no apache_use_ssl: yes apache_use_http2: yes apache_redirect_to_https: yes +apache_ssl_only: no apache_config: '' diff --git a/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 b/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 index 12a682e..4eae9af 100644 --- a/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 +++ b/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 @@ -1,5 +1,5 @@ -{% if apache_use_ssl and apache_redirect_to_https %} - +{% if apache_use_ssl and apache_redirect_to_https and not apache_ssl_only %} + ServerName {{ apache_server_name }} {% for alias in apache_server_aliases %} ServerAlias {{ alias }} @@ -15,10 +15,10 @@ RewriteRule (.*) https://%{HTTP_HOST}$1 [R=permanent,L] -{% else %} +{% elif not apache_ssl_only %} {% if apache_canonical_hostname is defined and (apache_server_aliases | length > 0) %} - + {% for alias in ([apache_server_name] + apache_server_aliases) | reject('equalto', apache_canonical_hostname) | list %} {% if loop.first %} ServerName {{ alias }} @@ -36,7 +36,7 @@ {% endif %} - + {% if apache_document_root is defined %} DocumentRoot "{{ apache_document_root }}" {% endif %} @@ -73,7 +73,7 @@ {% if apache_use_ssl %} {% if apache_canonical_hostname is defined and (apache_server_aliases | length > 0) %} - + {% for alias in ([apache_server_name] + apache_server_aliases) | reject('equalto', apache_canonical_hostname) | list %} {% if loop.first %} ServerName {{ alias }} @@ -96,7 +96,7 @@ {% endif %} - + {% if apache_document_root is defined %} DocumentRoot "{{ apache_document_root }}" {% endif %} diff --git a/roles/freeipa_server/files/usr/local/share/dirsrv/schema/matrix.ldif b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/matrix.ldif new file mode 100644 index 0000000..dc6a611 --- /dev/null +++ b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/matrix.ldif @@ -0,0 +1,3 @@ +dn: cn=config +attributetypes: ( 2.25.10508909625911985622145696820691585120.2 NAME 'matrixUsername' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' ) +objectclasses: ( 2.25.10508909625911985622145696820691585120.1 NAME 'matrixUser' AUXILIARY MAY matrixUsername X-ORIGIN 'Extending FreeIPA' ) diff --git a/roles/freeipa_server/tasks/custom_schema.yml b/roles/freeipa_server/tasks/custom_schema.yml index e5bca0d..73456e3 100644 --- a/roles/freeipa_server/tasks/custom_schema.yml +++ b/roles/freeipa_server/tasks/custom_schema.yml @@ -4,11 +4,16 @@ state: directory recurse: yes -- name: copy jid schema +- name: copy custom schemas copy: - src: '{{ freeipa_custom_schema_dir[1:] }}/jid.ldif' - dest: '{{ freeipa_custom_schema_dir }}/jid.ldif' + src: '{{ freeipa_custom_schema_dir[1:] }}/{{ item }}.ldif' + dest: '{{ freeipa_custom_schema_dir }}/{{ item }}.ldif' + loop: + - jid + - matrix + +# begin JIDObject schema - name: check if JIDObject exists in schema shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q JIDObject changed_when: no @@ -54,6 +59,55 @@ bind_pw: '{{ freeipa_ds_password }}' server_uri: ldaps://{{ ipa_host }} when: jid_index.changed +# end JIDObject schema + +# begin matrixUser schema +- name: check if matrixUser exists in schema + shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q matrixUser + changed_when: no + failed_when: no + register: ldapsearch_matrixuser + +- block: + - name: extend freeipa schema for matrix usernames + command: ipa-ldap-updater --schema-file '{{ freeipa_custom_schema_dir }}/matrix.ldif' + + - name: restart httpd + systemd: + name: httpd + state: restarted + when: ldapsearch_matrixuser.rc != 0 + +- name: add index to matrixUsername attribute + ldap_entry: + dn: 'cn=matrixUsername,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' + objectClass: + - top + - nsIndex + attributes: + cn: matrixUsername + nsSystemIndex: false + nsIndexType: eq + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + register: matrixusername_index + +- name: regenerate indexes for matrixUsername attribute + ldap_entry: + dn: cn=matrixusernameindex,cn=index,cn=tasks,cn=config + objectClass: + - top + - extensibleObject + attributes: + cn: matrixusernameindex + nsInstance: userRoot + nsIndexAttribute: 'matrixUsername:eq' + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + when: matrixusername_index.changed +# end matrixUser schema - name: add default user object classes ldap_attrs: @@ -62,6 +116,7 @@ ipaUserObjectClasses: - mailRecipient - JIDObject + - matrixUser state: present bind_dn: cn=Directory Manager bind_pw: '{{ freeipa_ds_password }}' @@ -86,6 +141,7 @@ attrs: - mailAlternateAddress - jid + - matrixUsername action: member state: present diff --git a/roles/synapse/defaults/main.yml b/roles/synapse/defaults/main.yml new file mode 100644 index 0000000..230871b --- /dev/null +++ b/roles/synapse/defaults/main.yml @@ -0,0 +1,58 @@ +synapse_version: 1.84.1 +synapse_ldap_version: 0.2.2 +synapse_element_version: 1.11.31 +synapse_local_client_port: 8008 +synapse_local_federation_port: 8009 +synapse_client_port: 8443 +synapse_federation_port: 8448 + +synapse_user: s-synapse +synapse_access_group: role-matrix-access + +synapse_db_host: '{{ postgresql_host }}' +synapse_db_name: synapse + +synapse_sysaccount_username: synapse +#synapse_sysaccount_password + +synapse_domain: '{{ email_domain }}' + +synapse_server_name: '{{ ansible_fqdn }}' + +#synapse_registration_shared_secret +#synapse_macaroon_secret_key +#synapse_form_secret + +synapse_turn_host: '{{ coturn_realm }}' +synapse_turn_secret: '{{ coturn_auth_secret }}' + +synapse_enable_email_notifications: yes +synapse_email_from: 'Matrix ' + +synapse_enable_registration: no + +synapse_max_upload_size: 50m + +synapse_auto_join_rooms: [] + +synapse_url_preview_whitelist: [] +synapse_url_preview_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' diff --git a/roles/synapse/handlers/main.yml b/roles/synapse/handlers/main.yml new file mode 100644 index 0000000..36abf64 --- /dev/null +++ b/roles/synapse/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart synapse + systemd: + name: synapse + state: restarted diff --git a/roles/synapse/meta/main.yml b/roles/synapse/meta/main.yml new file mode 100644 index 0000000..b06a498 --- /dev/null +++ b/roles/synapse/meta/main.yml @@ -0,0 +1,5 @@ +dependencies: + - role: freeipa_system_account + system_account_username: '{{ synapse_sysaccount_username }}' + system_account_password: '{{ synapse_sysaccount_password }}' + diff --git a/roles/synapse/tasks/database.yml b/roles/synapse/tasks/database.yml new file mode 100644 index 0000000..0494882 --- /dev/null +++ b/roles/synapse/tasks/database.yml @@ -0,0 +1,21 @@ +- name: create database + postgresql_db: + name: '{{ synapse_db_name }}' + encoding: UTF-8 + lc_collate: C + lc_ctype: C + template: template0 + state: present + delegate_to: "{{ postgresql_inventory_host }}" + become: yes + become_user: postgres + +- name: create database user + postgresql_user: + name: '{{ synapse_user }}' + db: '{{ synapse_db_name }}' + priv: ALL + state: present + delegate_to: "{{ postgresql_inventory_host }}" + become: yes + become_user: postgres diff --git a/roles/synapse/tasks/element.yml b/roles/synapse/tasks/element.yml new file mode 100644 index 0000000..cfc8eff --- /dev/null +++ b/roles/synapse/tasks/element.yml @@ -0,0 +1,17 @@ +- name: create element webroot + file: + path: '{{ synapse_element_webroot }}' + state: directory + +- name: extract element tarball + unarchive: + src: '{{ synapse_element_url }}' + remote_src: yes + dest: '{{ synapse_element_webroot }}' + extra_opts: + - '--strip-components=1' + +- name: generate element configuration + template: + src: '{{ synapse_element_webroot[1:] }}/config.json.j2' + dest: '{{ synapse_element_webroot }}/config.json' diff --git a/roles/synapse/tasks/freeipa.yml b/roles/synapse/tasks/freeipa.yml new file mode 100644 index 0000000..7e6cc02 --- /dev/null +++ b/roles/synapse/tasks/freeipa.yml @@ -0,0 +1,37 @@ +- name: create user + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ synapse_user }}' + loginshell: /sbin/nologin + homedir: '{{ synapse_home }}' + givenname: Synapse + sn: Service Account + state: present + run_once: yes + +- name: retrieve user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ synapse_user }}' + keytab_path: '{{ synapse_keytab }}' + +- name: configure gssproxy for kerberized postgres + include_role: + name: gssproxy_client + vars: + gssproxy_name: synapse + gssproxy_section: service/synapse + gssproxy_client_keytab: '{{ synapse_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: '{{ synapse_user }}' + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ synapse_access_group }}' + nonposix: yes + state: present + run_once: yes diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml new file mode 100644 index 0000000..bf0002d --- /dev/null +++ b/roles/synapse/tasks/main.yml @@ -0,0 +1,67 @@ +- name: install packages + dnf: + name: '{{ synapse_packages }}' + state: present + +- import_tasks: freeipa.yml + +- name: create home directory + file: + path: '{{ item }}' + owner: '{{ synapse_user }}' + group: '{{ synapse_user }}' + mode: 0700 + state: directory + loop: + - '{{ synapse_home }}' + - '{{ synapse_venv }}' + +- name: install synapse + pip: + name: '{{ synapse_pip_packages }}' + virtualenv: '{{ synapse_venv }}' + state: latest + become: yes + become_user: '{{ synapse_user }}' + +- name: generate synapse configuration + template: + src: '{{ synapse_home[1:] }}/{{ item }}.j2' + dest: '{{ synapse_home }}/{{ item }}' + owner: '{{ synapse_user }}' + group: '{{ synapse_user }}' + mode: 0600 + notify: restart synapse + loop: + - homeserver.yaml + - logging.config + +- name: generate signing key + shell: + cmd: >- + source {{ synapse_venv }}/bin/activate && + python -m synapse.app.homeserver --config-path {{ synapse_home }}/homeserver.yaml --generate-keys + creates: '{{ synapse_home }}/{{ synapse_domain }}.signing.key' + become: yes + become_user: '{{ synapse_user }}' + +- name: create systemd unit + template: + src: etc/systemd/system/synapse.service.j2 + dest: /etc/systemd/system/synapse.service + notify: restart synapse + +- name: reload systemd daemons + systemd: + daemon_reload: yes + +- import_tasks: database.yml + +- name: enable systemd unit + systemd: + name: synapse + enabled: yes + state: started + +- import_tasks: element.yml + tags: element diff --git a/roles/synapse/templates/etc/systemd/system/synapse.service.j2 b/roles/synapse/templates/etc/systemd/system/synapse.service.j2 new file mode 100644 index 0000000..84ab9f3 --- /dev/null +++ b/roles/synapse/templates/etc/systemd/system/synapse.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Description=Synapse Matrix Homeserver +Documentation=https://github.com/matrix-org/synapse +Wants=gssproxy.service +After=network-online.target nss-user-lookup.target gssproxy.service + +[Service] +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths={{ synapse_home }} + +User={{ synapse_user }} +Group={{ synapse_user }} + +Type=notify +NotifyAccess=main +WorkingDirectory={{ synapse_home }} +Environment=GSS_USE_PROXY=yes +EnvironmentFile=-/etc/sysconfig/synapse + +ExecStart={{ synapse_venv }}/bin/python -m synapse.app.homeserver --config-path={{ synapse_home }}/homeserver.yaml +ExecReload=/bin/kill -HUP $MAINPID + +Restart=always +RestartSec=3 + +SyslogIdentifier=synapse + +[Install] +WantedBy=multi-user.target diff --git a/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 b/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 new file mode 100644 index 0000000..8aefce7 --- /dev/null +++ b/roles/synapse/templates/var/lib/synapse/homeserver.yaml.j2 @@ -0,0 +1,96 @@ +server_name: {{ synapse_domain }} + +pid_file: {{ synapse_runtime_dir }}/homeserver.pid + +public_baseurl: https://{{ synapse_server_name }}:{{ synapse_client_port }}/ + +listeners: + - port: {{ synapse_local_client_port }} + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client] + compress: false + + - port: {{ synapse_local_federation_port }} + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [federation] + compress: false + +email: + smtp_host: 127.0.0.1 + smtp_port: 25 + enable_tls: false + notif_from: {{ synapse_email_from | to_yaml }} + enable_notifs: {{ synapse_enable_email_notifications | bool | to_yaml }} + +client_base_url: https://{{ synapse_server_name }} + +database: + name: psycopg2 + args: + user: '{{ synapse_user }}' + database: '{{ synapse_db_name }}' + host: '{{ synapse_db_host }}' + cp_min: 5 + cp_max: 10 + keepalives_idle: 10 + keepalives_interval: 10 + keepalives_count: 3 + +log_config: {{ synapse_home }}/logging.config + +media_store_path: {{ synapse_home }}/media_store +max_upload_size: {{ synapse_max_upload_size | human_to_bytes }} + +url_preview_enabled: true +url_preview_ip_range_blacklist: {{ synapse_url_preview_blacklist | to_yaml }} +url_preview_ip_range_whitelist: {{ synapse_url_preview_whitelist | to_yaml }} + +enable_registration: {{ synapse_enable_registration | bool | to_yaml }} +registration_shared_secret: {{ synapse_registration_shared_secret | to_yaml }} + +{% if synapse_auto_join_rooms %} +auto_join_rooms: +{% for room in synapse_auto_join_rooms %} + - '#{{ room }}:{{ synapse_domain }}' +{% endfor %} +{% endif %} +autocreate_auto_join_rooms: true +autocreate_auto_join_rooms_federated: false + +turn_uris: ['turn:{{ synapse_turn_host }}'] +turn_shared_secret: {{ synapse_turn_secret }} +turn_allow_guests: false + +report_stats: false + +macaroon_secret_key: {{ synapse_macaroon_secret_key | to_yaml }} +form_secret: {{ synapse_form_secret | to_yaml }} + +signing_key_path: {{ synapse_home }}/{{ synapse_domain }}.signing.key + +trusted_key_servers: + - server_name: matrix.org +suppress_key_server_warning: true + +modules: + - module: ldap_auth_provider.LdapAuthProviderModule + config: + enabled: true + uri: {{ freeipa_ldap_uri | split | to_yaml }} + start_tls: true + base: {{ freeipa_user_basedn }} + attributes: + uid: matrixUsername + mail: mail + name: matrixUsername + bind_dn: uid={{ synapse_sysaccount_username }},{{ freeipa_sysaccount_basedn }} + bind_password: {{ synapse_sysaccount_password }} + filter: '(memberOf=cn={{ synapse_access_group }},{{ freeipa_group_basedn }})' diff --git a/roles/synapse/templates/var/lib/synapse/logging.config.j2 b/roles/synapse/templates/var/lib/synapse/logging.config.j2 new file mode 100644 index 0000000..216e9e8 --- /dev/null +++ b/roles/synapse/templates/var/lib/synapse/logging.config.j2 @@ -0,0 +1,23 @@ +version: 1 + +formatters: + journal_fmt: + format: '%(name)s: [%(request)s] %(message)s' + +filters: + context: + (): synapse.logging.context.LoggingContextFilter + request: "" + +handlers: + journal: + class: systemd.journal.JournalHandler + formatter: journal_fmt + filters: [context] + SYSLOG_IDENTIFIER: synapse + +root: + level: INFO + handlers: [journal] + +disable_existing_loggers: False diff --git a/roles/synapse/templates/var/www/element/config.json.j2 b/roles/synapse/templates/var/www/element/config.json.j2 new file mode 100644 index 0000000..3556704 --- /dev/null +++ b/roles/synapse/templates/var/www/element/config.json.j2 @@ -0,0 +1,45 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://{{ synapse_server_name }}:{{ synapse_client_port }}", + "server_name": "{{ synapse_domain }}" + }, + "m.identity_server": { + "base_url": null + } + }, + "disable_custom_urls": true, + "disable_guests": true, + "disable_login_language_selector": false, + "disable_3pid_login": true, + "brand": "Element", + "integrations_ui_url": null, + "integrations_rest_url": null, + "integrations_widgets_urls": null, + "bug_report_endpoint_url": null, + "uisi_autorageshake_app": "element-auto-uisi", + "default_country_code": "US", + "show_labs_settings": false, + "features": {}, + "default_federate": true, + "default_theme": "light", + "room_directory": { + "servers": ["{{ synapse_domain }}", "matrix.org"] + }, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "setting_defaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferred_domain": "meet.element.io" + }, + "element_call": { + "url": "https://call.element.io", + "participant_limit": 8, + "brand": "Element Call" + }, + "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx" +} diff --git a/roles/synapse/vars/main.yml b/roles/synapse/vars/main.yml new file mode 100644 index 0000000..43c04d9 --- /dev/null +++ b/roles/synapse/vars/main.yml @@ -0,0 +1,47 @@ +synapse_packages: + - libtiff-devel + - libjpeg-devel + - libzip-devel + - freetype-devel + - libwebp-devel + - libxml2-devel + - libxslt-devel + - libpq-devel + - python3-virtualenv + - libffi-devel + - openssl-devel + - python3-devel + - libicu-devel + - python3-psycopg2 + - systemd-devel + - gcc + +synapse_pip_packages: + - 'matrix-synapse[postgres]=={{ synapse_version }}' + - 'matrix-synapse-ldap3=={{ synapse_ldap_version }}' + - lxml + - systemd-python + +synapse_home: /var/lib/synapse +synapse_keytab: /var/lib/gssproxy/clients/{{ synapse_user }}.keytab +synapse_venv: '{{ synapse_home }}/venv' +synapse_runtime_dir: /run/synapse +synapse_element_url: https://github.com/vector-im/element-web/releases/download/v{{ synapse_element_version }}/element-v{{ synapse_element_version }}.tar.gz +synapse_element_webroot: /var/www/element + +synapse_apache_client_config: | + LimitRequestBody {{ synapse_max_upload_size | human_to_bytes }} + AllowEncodedSlashes NoDecode + {{ apache_proxy_config }} + + ProxyPass http://127.0.0.1:{{ synapse_local_client_port }}/ nocanon + ProxyPassReverse http://127.0.0.1:{{ synapse_local_client_port }}/ + + +synapse_apache_federation_config: | + AllowEncodedSlashes NoDecode + {{ apache_proxy_config }} + + ProxyPass http://127.0.0.1:{{ synapse_local_federation_port }}/ nocanon + ProxyPassReverse http://127.0.0.1:{{ synapse_local_federation_port }}/ + -- cgit