Fully Ansible-ise the Matrix configuration

2019-10-12 14:46:57 +01:00 · 2019-10-12 14:46:57 +01:00 · f07f0bf6d8
parent 7ecca7a1cb
commit f07f0bf6d8
4 changed files with 171 additions and 50 deletions
--- a/.ansible/roles/matrix_server/files/log.yaml
+++ b/.ansible/roles/matrix_server/files/log.yaml
@ -0,0 +1,37 @@
 version: 1
 formatters:
  precise:
    format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
 filters:
  context:
    (): synapse.logging.context.LoggingContextFilter
    request: ""
 handlers:
  file:
    class: logging.handlers.RotatingFileHandler
    formatter: precise
    filename: /var/log/matrix-synapse/homeserver.log
    maxBytes: 104857600
    backupCount: 10
    filters: [context]
    encoding: utf8
  console:
    class: logging.StreamHandler
    formatter: precise
    level: WARN
 loggers:
  synapse:
    level: WARN
  synapse.storage.SQL:
    # beware: increasing this to DEBUG will make synapse log sensitive
    # information such as access tokens.
    level: WARN
 root:
  level: WARN
  handlers: [file, console]
--- a/.ansible/roles/matrix_server/tasks/main.yaml
+++ b/.ansible/roles/matrix_server/tasks/main.yaml
@ -1,4 +1,4 @@
- name: 'Matrix: Repositories'
+- name: "Matrix: Repositories"
  tags:
    - install
    - repos
@ -8,7 +8,7 @@
  loop_control:
    loop_var: repo
- name: 'Matrix: Packages'
+- name: "Matrix: Packages"
  tags:
    - install
    - packages
@ -19,14 +19,61 @@
  loop: "{{ linux_packages }}"
  become: true
- name: 'Matrix: Configuration'
+- name: "Matrix: Configuration"
  tags:
    - config
    - matrix
-  template:
+  block:
-    src: 'templates/homeserver.yaml.j2'
+    - name: "Matrix: Configuration: homeserver.yaml"
-    dest: '/etc/matrix-synapse/homeserver.yaml'
+      template:
-    mode: '0400'
+        src: "templates/homeserver.yaml.j2"
-    owner: 'matrix-synapse'
+        dest: "/etc/matrix-synapse/homeserver.yaml"
-    group: 'nogroup'
+        mode: "0400"
        owner: "matrix-synapse"
        group: "nogroup"
      become: yes
    - name: "Matrix: Configuration: server_name.yaml"
      copy:
        dest: "/etc/matrix-synapse/conf.d/server_name.yaml"
        content: "server_name: home.suborbit.com"
        mode: "0400"
        owner: "matrix-synapse"
        group: "nogroup"
      become: yes
    - name: "Matrix: Configuration: log.yaml"
      copy:
        dest: "/etc/matrix-synapse/log.yaml"
        src: "files/log.yaml"
        mode: "0400"
        owner: "matrix-synapse"
        group: "nogroup"
      become: yes
    - name: "Matrix: Configuration: dhparam.pem"
      copy:
        dest: "/etc/matrix-synapse/dhparam.pem"
        content: "{{ dhparam }}"
        mode: "0400"
        owner: "matrix-synapse"
        group: "nogroup"
      become: yes
    - name: "Matrix: Configuration: homeserver.signing.key"
      copy:
        dest: "/etc/matrix-synapse/homeserver.signing.key"
        content: "{{ signing_key }}"
        mode: "0400"
        owner: "matrix-synapse"
        group: "nogroup"
      become: yes
 - name: "Matrix: Service"
  tags:
    - matrix
  systemd:
    name: "matrix-synapse"
    state: started
    enabled: yes
  become: yes
--- a/.ansible/roles/matrix_server/templates/homeserver.yaml.j2
+++ b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2
@ -2,26 +2,25 @@ tls_certificate_path: "/etc/letsencrypt/live/home.suborbit.com/fullchain.pem"
 tls_private_key_path: "/etc/letsencrypt/live/home.suborbit.com/privkey.pem"
 tls_dh_params_path: "/etc/matrix-synapse/dhparam.pem"
 no_tls: False
-tls_fingerprints: [{"sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE"}]
+tls_fingerprints: [{ "sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE" }]
 server_name: home.suborbit.com
 pid_file: /run/matrix-synapse.pid
 soft_file_limit: 0
 use_presence: true
 listeners:
  - port: 8448
    bind_addresses:
-      - '0.0.0.0'
+      - "0.0.0.0"
    type: http
    tls: true
    x_forwarded: false
    resources:
-      - names: [client]       # The client-server APIs, both v1 and v2
+      - names: [client] # The client-server APIs, both v1 and v2
        compress: true
-      - names: [federation]  # Federation APIs
+      - names: [federation] # Federation APIs
        compress: false
  - port: 8008
    tls: false
-    bind_addresses: ['0.0.0.0']
+    bind_addresses: ["0.0.0.0"]
    type: http
    x_forwarded: true
    resources:
@ -32,7 +31,7 @@ listeners:
 database:
  name: "sqlite3"
  args:
-    database: "/etc/matrix-synapse/homeserver.db"
+    database: "/var/lib/matrix-synapse/homeserver.db"
 event_cache_size: "10K"
 log_config: "/etc/matrix-synapse/log.yaml"
 rc_messages_per_second: 0.2
@ -42,34 +41,34 @@ federation_rc_sleep_limit: 10
 federation_rc_sleep_delay: 500
 federation_rc_reject_limit: 5
 federation_rc_concurrent: 1
-media_store_path: "/etc/matrix-synapse/media_store"
+media_store_path: "/var/lib/matrix-synapse/media"
-uploads_path: "/etc/matrix-synapse/uploads"
+uploads_path: "/var/lib/matrix-synapse/uploads"
 max_upload_size: "100M"
 max_image_pixels: "64M"
 dynamic_thumbnails: false
 thumbnail_sizes:
- width: 32
+  - width: 32
-  height: 32
+    height: 32
-  method: crop
+    method: crop
- width: 96
+  - width: 96
-  height: 96
+    height: 96
-  method: crop
+    method: crop
- width: 320
+  - width: 320
-  height: 240
+    height: 240
-  method: scale
+    method: scale
- width: 640
+  - width: 640
-  height: 480
+    height: 480
-  method: scale
+    method: scale
- width: 800
+  - width: 800
-  height: 600
+    height: 600
-  method: scale
+    method: scale
 url_preview_enabled: False
 url_preview_ip_range_blacklist:
- - '127.0.0.0/8'
+  - "127.0.0.0/8"
- - '10.0.0.0/8'
+  - "10.0.0.0/8"
- - '::1/128'
+  - "::1/128"
- - 'fe80::/64'
+  - "fe80::/64"
- - 'fc00::/7'
+  - "fc00::/7"
 max_spider_size: "10M"
 recaptcha_public_key: "YOUR_PUBLIC_KEY"
 recaptcha_private_key: "YOUR_PRIVATE_KEY"
@ -84,10 +83,10 @@ autocreate_auto_join_rooms: true
 enable_metrics: False
 report_stats: false
 room_invite_state_types:
-    - "m.room.join_rules"
+  - "m.room.join_rules"
-    - "m.room.canonical_alias"
+  - "m.room.canonical_alias"
-    - "m.room.avatar"
+  - "m.room.avatar"
-    - "m.room.name"
+  - "m.room.name"
 app_service_config_files: []
 track_appservice_user_ips: False
 expire_access_token: False
@ -97,10 +96,10 @@ key_refresh_interval: "1d" # 1 Day.
 trusted_key_servers:
  - server_name: "matrix.org"
 password_config:
-   enabled: true
+  enabled: true
-   pepper: "{{ password_pepper }}"
+  pepper: "{{ password_pepper }}"
 enable_group_creation: false
 alias_creation_rules:
-    - user_id: "*"
+  - user_id: "*"
-      alias: "*"
+    alias: "*"
-      action: allow
+    action: allow
--- a/.ansible/roles/matrix_server/vars/main.yaml
+++ b/.ansible/roles/matrix_server/vars/main.yaml
@ -1,8 +1,8 @@
 ---
 linux_repos:
-  - name: 'Matrix Synapse'
+  - name: "Matrix Synapse"
-    data: 'deb https://packages.matrix.org/debian disco main'
+    data: "deb https://packages.matrix.org/debian disco main"
-    key: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg'
+    key: "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
 linux_packages:
  - matrix-synapse-py3
@ -15,3 +15,41 @@ password_pepper: !vault |
  3362646261363561320a366664303336333333313033646239633131353364613064386137616661
  35613132313935333233636338356464333933623337626361646638636266656461646137663766
  6532306363663639623566646232333130633561396639306439
 dhparam: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  66396331643463396334343331353864396663353062393834356636643031613761663935396664
  3636316634313430396464633032336238353435613835300a316531376361363831633965336339
  65653534396563666663623164616134626135303762343864656436346164346162393432313539
  6133353765393734320a653935363834653736343864663432393538383663363563613764313665
  61393837303865333738643739303536323734666261636666613461393835633066316662316230
  36303861326665313130323866663930616438306338343233623564323235613663363938633437
  32303832616235633965363736383165346564323930653130343137303361613764643565363233
  36346261643232616331303133316337656563346530343764396162633636383939356362333135
  34663737313030393538346335396534336661633030643532636632616463666632656566366461
  33613962353030383535356638623465346231383464636532343533663065663264666566643164
  34616134663662356438353764663339346333343535313564373636393439356139393234343936
  31353538616564613361653238383531373138386138353336393465376230656561643965656130
  35353965356232663963633436373166316366323262636266326135303436653231613537643935
  32633165366138393435626666366363393535346663356261373762313730633264363131343333
  37303933666563393662303339633762623465636462646235633762663937366135633765393664
  39383231613664633131386533393162613066386536336135303436356362306463343338633365
  32346338363262383635613535636232383265646535656237633230333761613961363937346230
  65306530373761613032363432666466643032396138346262633637383431633139356134303133
  64373066326461313566656165313965313737303261656437363166333039346337333365303835
  38613331383464376531303534663562363336646531616361363462643465323664646136396637
  32656430343037313465356161383431373438373936393939373466373631353739393762643334
  32343036333564363834613563376639323564653465393331316461613232386464316138373735
  62333336366534633938663839333739616536613735383533343632373233653934393365303235
  37653339343631626135663033393535626265653365383064333361363636613864383338636432
  32326361346130323636303266346538393237626633623633386534386635316363
 signing_key: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  63663030316163346461643134383631316233303861336531316539646239626634326263303734
  3366623434636134396637663263333964343761646465370a393130323033626236313534656336
  37353661613066333539393838323465303230393233383461353565363536333035303433316530
  6535343039383963650a626164333831313037386664646632383434313733663534616661333139
  38323464356130343833623134343533353430373839656435393262623133646631353733646635
  66383532393864323935376565313864616135373332386330323463303531393936353364363838
  343336396530343765363363623761336636