diff --git a/.ansible.cfg b/.ansible.cfg index 14f31c4..fe89314 100644 --- a/.ansible.cfg +++ b/.ansible.cfg @@ -1,6 +1,7 @@ [defaults] inventory = ~/.ansible/inventory.yaml log_path = ~/.ansible/tmp/output.log +vault_password_file = ~/.ansible/.vault.passwd [ssh_connection] ssh_args = -o RemoteCommand=none diff --git a/.ansible/roles/matrix_server/tasks/main.yaml b/.ansible/roles/matrix_server/tasks/main.yaml index dd8e2b2..bbc88fc 100644 --- a/.ansible/roles/matrix_server/tasks/main.yaml +++ b/.ansible/roles/matrix_server/tasks/main.yaml @@ -1,4 +1,4 @@ -- name: Adding repositories +- name: 'Matrix: Repositories' tags: - install - repos @@ -8,7 +8,7 @@ loop_control: loop_var: repo -- name: Installing packages +- name: 'Matrix: Packages' tags: - install - packages @@ -18,3 +18,15 @@ state: present loop: "{{ linux_packages }}" become: true + +- name: 'Matrix: Configuration' + tags: + - config + - matrix + template: + src: 'templates/homeserver.yaml.j2' + dest: '/etc/matrix-synapse/homeserver.yaml' + mode: '0400' + owner: 'matrix-synapse' + group: 'nogroup' + become: yes diff --git a/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..84c65de --- /dev/null +++ b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 @@ -0,0 +1,106 @@ +tls_certificate_path: "/etc/letsencrypt/live/home.suborbit.com/fullchain.pem" +tls_private_key_path: "/etc/letsencrypt/live/home.suborbit.com/privkey.pem" +tls_dh_params_path: "/etc/matrix-synapse/dhparam.pem" +no_tls: False +tls_fingerprints: [{"sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE"}] +server_name: home.suborbit.com +pid_file: /run/matrix-synapse.pid +soft_file_limit: 0 +use_presence: true +listeners: + - port: 8448 + bind_addresses: + - '0.0.0.0' + type: http + tls: true + x_forwarded: false + resources: + - names: [client] # The client-server APIs, both v1 and v2 + compress: true + - names: [federation] # Federation APIs + compress: false + - port: 8008 + tls: false + bind_addresses: ['0.0.0.0'] + type: http + x_forwarded: true + resources: + - names: [client] + compress: true + - names: [federation] + compress: false +database: + name: "sqlite3" + args: + database: "/etc/matrix-synapse/homeserver.db" +event_cache_size: "10K" +log_config: "/etc/matrix-synapse/log.yaml" +rc_messages_per_second: 0.2 +rc_message_burst_count: 10.0 +federation_rc_window_size: 1000 +federation_rc_sleep_limit: 10 +federation_rc_sleep_delay: 500 +federation_rc_reject_limit: 5 +federation_rc_concurrent: 1 +media_store_path: "/etc/matrix-synapse/media_store" +uploads_path: "/etc/matrix-synapse/uploads" +max_upload_size: "100M" +max_image_pixels: "64M" +dynamic_thumbnails: false +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale +url_preview_enabled: False +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' +max_spider_size: "10M" +recaptcha_public_key: "YOUR_PUBLIC_KEY" +recaptcha_private_key: "YOUR_PRIVATE_KEY" +enable_registration_captcha: False +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +turn_user_lifetime: "1h" +turn_allow_guests: True +enable_registration: False +bcrypt_rounds: 12 +allow_guest_access: False +autocreate_auto_join_rooms: true +enable_metrics: False +report_stats: false +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" +app_service_config_files: [] +track_appservice_user_ips: False +expire_access_token: False +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" +old_signing_keys: {} +key_refresh_interval: "1d" # 1 Day. +trusted_key_servers: + - server_name: "matrix.org" +password_config: + enabled: true + pepper: "{{ password_pepper }}" +enable_group_creation: false +alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow diff --git a/.ansible/roles/matrix_server/vars/main.yaml b/.ansible/roles/matrix_server/vars/main.yaml index 2c68119..5a039b3 100644 --- a/.ansible/roles/matrix_server/vars/main.yaml +++ b/.ansible/roles/matrix_server/vars/main.yaml @@ -6,3 +6,12 @@ linux_repos: linux_packages: - matrix-synapse-py3 + +password_pepper: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33373335643631373939643231653138646134633537343138333461633164393764376236663065 + 6265623032623465303763353637613261356137303236640a386630373934626135386234643434 + 36303336663033373331343463656366643939353761616331323733333163633562373138313635 + 3362646261363561320a366664303336333333313033646239633131353364613064386137616661 + 35613132313935333233636338356464333933623337626361646638636266656461646137663766 + 6532306363663639623566646232333130633561396639306439