blob: 7e6255e90c349b5734e2c7331799c0a026aeef02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
Synapse
======
Description
-----------
The `synapse` role installs and configures the [synapse](https://github.com/matrix-org/synapse/)
homeserver for the [Matrix](https://matrix.org/) network.
Users authenticate against the local FreeIPA domain using
the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) plugin.
The Matrix username for each user is taken from the `matrixUsername` attribute
of the FreeIPA User object.
If your Matrix domain differs from the public hostname of your synapse server
(e.g. your MXIDs have the format `@user:example.com`, but synapse runs on
`matrix.example.com`), then you will need to configure `.well-known` delegation
in order to federate with other instances. See the [sample webserver playbook](../../playbooks/webserver_public_example.yml)
for an example of how to do this.
Variables
---------
This role **accepts** the following variables:
Variable | Default | Description
-------------------------------------|----------------------------------------------|------------
`synapse_version` | see [defaults](defaults/main.yml) | [synapse](https://github.com/matrix-org/synapse/) version to install
`synapse_ldap_version` | see [defaults](defaults/main.yml) | [synapse ldap](https://github.com/matrix-org/matrix-synapse-ldap3) plugin version to install
`synapse_element_version` | see [defaults](defaults/main.yml) | [element-web](https://github.com/vector-im/element-web) version to install
`synapse_domain` | `{{ email_domain }}` | Matrix domain served by the homeserver
`synapse_server_name` | `{{ ansible_fqdn }}` | Public hostname of the homeserver
`synapse_local_client_port` | 8008 | Localhost listen port for client traffic
`synapse_local_federation_port` | 8009 | Localhost listen port for federation traffic
`synapse_client_port` | 8443 | Public listen port for client traffic
`synapse_federation_port` | 8448 | Public listen port for federation traffic
`synapse_user` | `s-synapse` | FreeIPA user (will be created)
`synapse_access_group` | `role-matrix-access` | FreeIPA group for Matrix users (will be created)
`synapse_db_host` | `{{ postgresql_host }}` | PostgreSQL host
`synapse_db_name` | `synapse` | PostgreSQL database (will be created)
`synapse_sysaccount_username` | `synapse` | FreeIPA [system account](../freeipa_system_account/) username
`synapse_sysaccount_password` | | FreeIPA [system account](../freeipa_system_account/) password
`synapse_registration_shared_secret` | | Secret passphrase to allow registration even when disabled (optional)
`synapse_macaroon_secret_key` | | Secret signing key for various tokens (required)
`synapse_form_secret` | | Secret key for various form HMACs (required)
`synapse_turn_host` | `{{ coturn_realm }}` | TURN server hostname
`synapse_turn_secret` | `{{ coturn_auth_secret }}` | TURN server shared secret
`synapse_enable_email_notifications` | yes | Enable email notifications
`synapse_email_from` | `Matrix <matrix-noreply@{{ email_domain }}>` | Email `From` address
`synapse_enable_registration` | no | Enable new user registration
`synapse_max_upload_size` | `50m` | Maxiumum file upload size
`synapse_auto_join_rooms` | `[]` | Local rooms to join automatically
`synapse_url_preview_blacklist` | see [defaults](defaults/main.yml) | List of CIDRs to block from URL previews
`synapse_url_preview_whitelist` | `[]` | List of CIDRs to allow for URL previews
This role **exports** the following variables:
Variable | Description
-----------------------------------|------------
`synapse_element_webroot` | Path to [element-web](https://github.com/vector-im/element-web) directory
`synapse_apache_client_config` | Apache config block for client reverse proxy
`synapse_apache_federation_config` | Apache config block for federation reverse proxy
Usage
-----
The following example playbook installs synapse and configures an Apache
reverse proxy. The client API is served on port 8443, the federation API
is served on port 8448, and the Element web client is served on the standard
HTTPS port.
````yaml
- name: configure synapse matrix homeserver
hosts: matrix_servers
vars:
synapse_domain: example.com
synapse_server_name: matrix.example.com
synapse_client_port: 8443
synapse_federation_port: 8448
synapse_access_group: role-example-matrix-access
synapse_macaroon_secret_key: s3cret
synapse_form_secret: s3cret
synapse_sysaccount_password: s3cret
synapse_turn_host: turn.example.com
synapse_turn_secret: s3cret
synapse_email_from: 'Matrix <matrix-noreply@example.com>'
synapse_enable_registration: no
roles:
- role: synapse
tags: synapse
- role: apache_vhost
apache_server_name: '{{ synapse_server_name }}'
apache_server_aliases: []
apache_ssl_only: yes
apache_letsencrypt: yes
apache_listen_port: '{{ synapse_federation_port }}'
apache_config: '{{ synapse_apache_federation_config }}'
apache_config_name: '{{ synapse_server_name }}-federation'
tags: apache
- role: apache_vhost
apache_server_name: '{{ synapse_server_name }}'
apache_server_aliases: []
apache_ssl_only: yes
apache_letsencrypt: yes
apache_listen_port: '{{ synapse_client_port }}'
apache_config: '{{ synapse_apache_client_config }}'
apache_config_name: '{{ synapse_server_name }}-client'
tags: apache
- role: apache_vhost
apache_server_name: '{{ synapse_server_name }}'
apache_server_aliases: []
apache_letsencrypt: yes
apache_redirect_to_https: yes
apache_document_root: '{{ synapse_element_webroot }}'
apache_config_name: '{{ synapse_server_name }}-element'
tags: apache
````
|