diff --git a/.ansible/roles/matrix_server/files/log.yaml b/.ansible/roles/matrix_server/files/log.yaml new file mode 100644 index 0000000..9d7acb8 --- /dev/null +++ b/.ansible/roles/matrix_server/files/log.yaml @@ -0,0 +1,37 @@ +version: 1 + +formatters: + precise: + format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s" + +filters: + context: + (): synapse.logging.context.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + maxBytes: 104857600 + backupCount: 10 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + level: WARN + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] diff --git a/.ansible/roles/matrix_server/tasks/main.yaml b/.ansible/roles/matrix_server/tasks/main.yaml index bbc88fc..5e3d9ae 100644 --- a/.ansible/roles/matrix_server/tasks/main.yaml +++ b/.ansible/roles/matrix_server/tasks/main.yaml @@ -1,4 +1,4 @@ -- name: 'Matrix: Repositories' +- name: "Matrix: Repositories" tags: - install - repos @@ -8,7 +8,7 @@ loop_control: loop_var: repo -- name: 'Matrix: Packages' +- name: "Matrix: Packages" tags: - install - packages @@ -19,14 +19,61 @@ loop: "{{ linux_packages }}" become: true -- name: 'Matrix: Configuration' +- name: "Matrix: Configuration" tags: - config - matrix - template: - src: 'templates/homeserver.yaml.j2' - dest: '/etc/matrix-synapse/homeserver.yaml' - mode: '0400' - owner: 'matrix-synapse' - group: 'nogroup' + block: + - name: "Matrix: Configuration: homeserver.yaml" + template: + src: "templates/homeserver.yaml.j2" + dest: "/etc/matrix-synapse/homeserver.yaml" + mode: "0400" + owner: "matrix-synapse" + group: "nogroup" + become: yes + + - name: "Matrix: Configuration: server_name.yaml" + copy: + dest: "/etc/matrix-synapse/conf.d/server_name.yaml" + content: "server_name: home.suborbit.com" + mode: "0400" + owner: "matrix-synapse" + group: "nogroup" + become: yes + + - name: "Matrix: Configuration: log.yaml" + copy: + dest: "/etc/matrix-synapse/log.yaml" + src: "files/log.yaml" + mode: "0400" + owner: "matrix-synapse" + group: "nogroup" + become: yes + + - name: "Matrix: Configuration: dhparam.pem" + copy: + dest: "/etc/matrix-synapse/dhparam.pem" + content: "{{ dhparam }}" + mode: "0400" + owner: "matrix-synapse" + group: "nogroup" + become: yes + + - name: "Matrix: Configuration: homeserver.signing.key" + copy: + dest: "/etc/matrix-synapse/homeserver.signing.key" + content: "{{ signing_key }}" + mode: "0400" + owner: "matrix-synapse" + group: "nogroup" + become: yes + +- name: "Matrix: Service" + tags: + - matrix + systemd: + name: "matrix-synapse" + state: started + enabled: yes become: yes diff --git a/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 index 84c65de..743c366 100644 --- a/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 +++ b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2 @@ -2,26 +2,25 @@ tls_certificate_path: "/etc/letsencrypt/live/home.suborbit.com/fullchain.pem" tls_private_key_path: "/etc/letsencrypt/live/home.suborbit.com/privkey.pem" tls_dh_params_path: "/etc/matrix-synapse/dhparam.pem" no_tls: False -tls_fingerprints: [{"sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE"}] -server_name: home.suborbit.com +tls_fingerprints: [{ "sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE" }] pid_file: /run/matrix-synapse.pid soft_file_limit: 0 use_presence: true listeners: - port: 8448 bind_addresses: - - '0.0.0.0' + - "0.0.0.0" type: http tls: true x_forwarded: false resources: - - names: [client] # The client-server APIs, both v1 and v2 + - names: [client] # The client-server APIs, both v1 and v2 compress: true - - names: [federation] # Federation APIs + - names: [federation] # Federation APIs compress: false - port: 8008 tls: false - bind_addresses: ['0.0.0.0'] + bind_addresses: ["0.0.0.0"] type: http x_forwarded: true resources: @@ -32,7 +31,7 @@ listeners: database: name: "sqlite3" args: - database: "/etc/matrix-synapse/homeserver.db" + database: "/var/lib/matrix-synapse/homeserver.db" event_cache_size: "10K" log_config: "/etc/matrix-synapse/log.yaml" rc_messages_per_second: 0.2 @@ -42,34 +41,34 @@ federation_rc_sleep_limit: 10 federation_rc_sleep_delay: 500 federation_rc_reject_limit: 5 federation_rc_concurrent: 1 -media_store_path: "/etc/matrix-synapse/media_store" -uploads_path: "/etc/matrix-synapse/uploads" +media_store_path: "/var/lib/matrix-synapse/media" +uploads_path: "/var/lib/matrix-synapse/uploads" max_upload_size: "100M" max_image_pixels: "64M" dynamic_thumbnails: false thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 320 + height: 240 + method: scale + - width: 640 + height: 480 + method: scale + - width: 800 + height: 600 + method: scale url_preview_enabled: False url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' + - "127.0.0.0/8" + - "10.0.0.0/8" + - "::1/128" + - "fe80::/64" + - "fc00::/7" max_spider_size: "10M" recaptcha_public_key: "YOUR_PUBLIC_KEY" recaptcha_private_key: "YOUR_PRIVATE_KEY" @@ -84,10 +83,10 @@ autocreate_auto_join_rooms: true enable_metrics: False report_stats: false room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" app_service_config_files: [] track_appservice_user_ips: False expire_access_token: False @@ -97,10 +96,10 @@ key_refresh_interval: "1d" # 1 Day. trusted_key_servers: - server_name: "matrix.org" password_config: - enabled: true - pepper: "{{ password_pepper }}" + enabled: true + pepper: "{{ password_pepper }}" enable_group_creation: false alias_creation_rules: - - user_id: "*" - alias: "*" - action: allow + - user_id: "*" + alias: "*" + action: allow diff --git a/.ansible/roles/matrix_server/vars/main.yaml b/.ansible/roles/matrix_server/vars/main.yaml index 5a039b3..f93a0da 100644 --- a/.ansible/roles/matrix_server/vars/main.yaml +++ b/.ansible/roles/matrix_server/vars/main.yaml @@ -1,8 +1,8 @@ --- linux_repos: - - name: 'Matrix Synapse' - data: 'deb https://packages.matrix.org/debian disco main' - key: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg' + - name: "Matrix Synapse" + data: "deb https://packages.matrix.org/debian disco main" + key: "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" linux_packages: - matrix-synapse-py3 @@ -15,3 +15,41 @@ password_pepper: !vault | 3362646261363561320a366664303336333333313033646239633131353364613064386137616661 35613132313935333233636338356464333933623337626361646638636266656461646137663766 6532306363663639623566646232333130633561396639306439 + +dhparam: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66396331643463396334343331353864396663353062393834356636643031613761663935396664 + 3636316634313430396464633032336238353435613835300a316531376361363831633965336339 + 65653534396563666663623164616134626135303762343864656436346164346162393432313539 + 6133353765393734320a653935363834653736343864663432393538383663363563613764313665 + 61393837303865333738643739303536323734666261636666613461393835633066316662316230 + 36303861326665313130323866663930616438306338343233623564323235613663363938633437 + 32303832616235633965363736383165346564323930653130343137303361613764643565363233 + 36346261643232616331303133316337656563346530343764396162633636383939356362333135 + 34663737313030393538346335396534336661633030643532636632616463666632656566366461 + 33613962353030383535356638623465346231383464636532343533663065663264666566643164 + 34616134663662356438353764663339346333343535313564373636393439356139393234343936 + 31353538616564613361653238383531373138386138353336393465376230656561643965656130 + 35353965356232663963633436373166316366323262636266326135303436653231613537643935 + 32633165366138393435626666366363393535346663356261373762313730633264363131343333 + 37303933666563393662303339633762623465636462646235633762663937366135633765393664 + 39383231613664633131386533393162613066386536336135303436356362306463343338633365 + 32346338363262383635613535636232383265646535656237633230333761613961363937346230 + 65306530373761613032363432666466643032396138346262633637383431633139356134303133 + 64373066326461313566656165313965313737303261656437363166333039346337333365303835 + 38613331383464376531303534663562363336646531616361363462643465323664646136396637 + 32656430343037313465356161383431373438373936393939373466373631353739393762643334 + 32343036333564363834613563376639323564653465393331316461613232386464316138373735 + 62333336366534633938663839333739616536613735383533343632373233653934393365303235 + 37653339343631626135663033393535626265653365383064333361363636613864383338636432 + 32326361346130323636303266346538393237626633623633386534386635316363 + +signing_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63663030316163346461643134383631316233303861336531316539646239626634326263303734 + 3366623434636134396637663263333964343761646465370a393130323033626236313534656336 + 37353661613066333539393838323465303230393233383461353565363536333035303433316530 + 6535343039383963650a626164333831313037386664646632383434313733663534616661333139 + 38323464356130343833623134343533353430373839656435393262623133646631353733646635 + 66383532393864323935376565313864616135373332386330323463303531393936353364363838 + 343336396530343765363363623761336636