Fully Ansible-ise the Matrix configuration

2019-10-12 14:46:57 +01:00 · 2019-10-12 14:46:57 +01:00 · f07f0bf6d8
parent 7ecca7a1cb
commit f07f0bf6d8
4 changed files with 171 additions and 50 deletions
--- a/.ansible/roles/matrix_server/files/log.yaml
+++ b/.ansible/roles/matrix_server/files/log.yaml
@ -0,0 +1,37 @@
+version: 1
+
+formatters:
+  precise:
+    format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
+
+filters:
+  context:
+    (): synapse.logging.context.LoggingContextFilter
+    request: ""
+
+handlers:
+  file:
+    class: logging.handlers.RotatingFileHandler
+    formatter: precise
+    filename: /var/log/matrix-synapse/homeserver.log
+    maxBytes: 104857600
+    backupCount: 10
+    filters: [context]
+    encoding: utf8
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    level: WARN
+
+loggers:
+  synapse:
+    level: WARN
+
+  synapse.storage.SQL:
+    # beware: increasing this to DEBUG will make synapse log sensitive
+    # information such as access tokens.
+    level: WARN
+
+root:
+  level: WARN
+  handlers: [file, console]
--- a/.ansible/roles/matrix_server/tasks/main.yaml
+++ b/.ansible/roles/matrix_server/tasks/main.yaml
@ -1,4 +1,4 @@
- name: 'Matrix: Repositories'
+- name: "Matrix: Repositories"
  tags:
    - install
    - repos
@ -8,7 +8,7 @@
  loop_control:
    loop_var: repo

- name: 'Matrix: Packages'
+- name: "Matrix: Packages"
  tags:
    - install
    - packages
@ -19,14 +19,61 @@
  loop: "{{ linux_packages }}"
  become: true

- name: 'Matrix: Configuration'
+- name: "Matrix: Configuration"
  tags:
    - config
    - matrix
+  block:
+    - name: "Matrix: Configuration: homeserver.yaml"
      template:
-    src: 'templates/homeserver.yaml.j2'
-    dest: '/etc/matrix-synapse/homeserver.yaml'
-    mode: '0400'
-    owner: 'matrix-synapse'
-    group: 'nogroup'
+        src: "templates/homeserver.yaml.j2"
+        dest: "/etc/matrix-synapse/homeserver.yaml"
+        mode: "0400"
+        owner: "matrix-synapse"
+        group: "nogroup"
+      become: yes
+
+    - name: "Matrix: Configuration: server_name.yaml"
+      copy:
+        dest: "/etc/matrix-synapse/conf.d/server_name.yaml"
+        content: "server_name: home.suborbit.com"
+        mode: "0400"
+        owner: "matrix-synapse"
+        group: "nogroup"
+      become: yes
+
+    - name: "Matrix: Configuration: log.yaml"
+      copy:
+        dest: "/etc/matrix-synapse/log.yaml"
+        src: "files/log.yaml"
+        mode: "0400"
+        owner: "matrix-synapse"
+        group: "nogroup"
+      become: yes
+
+    - name: "Matrix: Configuration: dhparam.pem"
+      copy:
+        dest: "/etc/matrix-synapse/dhparam.pem"
+        content: "{{ dhparam }}"
+        mode: "0400"
+        owner: "matrix-synapse"
+        group: "nogroup"
+      become: yes
+
+    - name: "Matrix: Configuration: homeserver.signing.key"
+      copy:
+        dest: "/etc/matrix-synapse/homeserver.signing.key"
+        content: "{{ signing_key }}"
+        mode: "0400"
+        owner: "matrix-synapse"
+        group: "nogroup"
+      become: yes
+
+- name: "Matrix: Service"
+  tags:
+    - matrix
+  systemd:
+    name: "matrix-synapse"
+    state: started
+    enabled: yes
  become: yes
--- a/.ansible/roles/matrix_server/templates/homeserver.yaml.j2
+++ b/.ansible/roles/matrix_server/templates/homeserver.yaml.j2
@ -2,15 +2,14 @@ tls_certificate_path: "/etc/letsencrypt/live/home.suborbit.com/fullchain.pem"
 tls_private_key_path: "/etc/letsencrypt/live/home.suborbit.com/privkey.pem"
 tls_dh_params_path: "/etc/matrix-synapse/dhparam.pem"
 no_tls: False
-tls_fingerprints: [{"sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE"}]
-server_name: home.suborbit.com
+tls_fingerprints: [{ "sha256": "/HCvvvL0fZZb3BsgA8KIegBijVjk4UCbA9od18BLxOE" }]
 pid_file: /run/matrix-synapse.pid
 soft_file_limit: 0
 use_presence: true
 listeners:
  - port: 8448
    bind_addresses:
-      - '0.0.0.0'
+      - "0.0.0.0"
    type: http
    tls: true
    x_forwarded: false
@ -21,7 +20,7 @@ listeners:
        compress: false
  - port: 8008
    tls: false
-    bind_addresses: ['0.0.0.0']
+    bind_addresses: ["0.0.0.0"]
    type: http
    x_forwarded: true
    resources:
@ -32,7 +31,7 @@ listeners:
 database:
  name: "sqlite3"
  args:
-    database: "/etc/matrix-synapse/homeserver.db"
+    database: "/var/lib/matrix-synapse/homeserver.db"
 event_cache_size: "10K"
 log_config: "/etc/matrix-synapse/log.yaml"
 rc_messages_per_second: 0.2
@ -42,34 +41,34 @@ federation_rc_sleep_limit: 10
 federation_rc_sleep_delay: 500
 federation_rc_reject_limit: 5
 federation_rc_concurrent: 1
-media_store_path: "/etc/matrix-synapse/media_store"
-uploads_path: "/etc/matrix-synapse/uploads"
+media_store_path: "/var/lib/matrix-synapse/media"
+uploads_path: "/var/lib/matrix-synapse/uploads"
 max_upload_size: "100M"
 max_image_pixels: "64M"
 dynamic_thumbnails: false
 thumbnail_sizes:
- width: 32
+  - width: 32
    height: 32
    method: crop
- width: 96
+  - width: 96
    height: 96
    method: crop
- width: 320
+  - width: 320
    height: 240
    method: scale
- width: 640
+  - width: 640
    height: 480
    method: scale
- width: 800
+  - width: 800
    height: 600
    method: scale
 url_preview_enabled: False
 url_preview_ip_range_blacklist:
- - '127.0.0.0/8'
- - '10.0.0.0/8'
- - '::1/128'
- - 'fe80::/64'
- - 'fc00::/7'
+  - "127.0.0.0/8"
+  - "10.0.0.0/8"
+  - "::1/128"
+  - "fe80::/64"
+  - "fc00::/7"
 max_spider_size: "10M"
 recaptcha_public_key: "YOUR_PUBLIC_KEY"
 recaptcha_private_key: "YOUR_PRIVATE_KEY"
--- a/.ansible/roles/matrix_server/vars/main.yaml
+++ b/.ansible/roles/matrix_server/vars/main.yaml
@ -1,8 +1,8 @@
 ---
 linux_repos:
-  - name: 'Matrix Synapse'
-    data: 'deb https://packages.matrix.org/debian disco main'
-    key: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg'
+  - name: "Matrix Synapse"
+    data: "deb https://packages.matrix.org/debian disco main"
+    key: "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"

 linux_packages:
  - matrix-synapse-py3
@ -15,3 +15,41 @@ password_pepper: !vault |
  3362646261363561320a366664303336333333313033646239633131353364613064386137616661
  35613132313935333233636338356464333933623337626361646638636266656461646137663766
  6532306363663639623566646232333130633561396639306439
+
+dhparam: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66396331643463396334343331353864396663353062393834356636643031613761663935396664
+  3636316634313430396464633032336238353435613835300a316531376361363831633965336339
+  65653534396563666663623164616134626135303762343864656436346164346162393432313539
+  6133353765393734320a653935363834653736343864663432393538383663363563613764313665
+  61393837303865333738643739303536323734666261636666613461393835633066316662316230
+  36303861326665313130323866663930616438306338343233623564323235613663363938633437
+  32303832616235633965363736383165346564323930653130343137303361613764643565363233
+  36346261643232616331303133316337656563346530343764396162633636383939356362333135
+  34663737313030393538346335396534336661633030643532636632616463666632656566366461
+  33613962353030383535356638623465346231383464636532343533663065663264666566643164
+  34616134663662356438353764663339346333343535313564373636393439356139393234343936
+  31353538616564613361653238383531373138386138353336393465376230656561643965656130
+  35353965356232663963633436373166316366323262636266326135303436653231613537643935
+  32633165366138393435626666366363393535346663356261373762313730633264363131343333
+  37303933666563393662303339633762623465636462646235633762663937366135633765393664
+  39383231613664633131386533393162613066386536336135303436356362306463343338633365
+  32346338363262383635613535636232383265646535656237633230333761613961363937346230
+  65306530373761613032363432666466643032396138346262633637383431633139356134303133
+  64373066326461313566656165313965313737303261656437363166333039346337333365303835
+  38613331383464376531303534663562363336646531616361363462643465323664646136396637
+  32656430343037313465356161383431373438373936393939373466373631353739393762643334
+  32343036333564363834613563376639323564653465393331316461613232386464316138373735
+  62333336366534633938663839333739616536613735383533343632373233653934393365303235
+  37653339343631626135663033393535626265653365383064333361363636613864383338636432
+  32326361346130323636303266346538393237626633623633386534386635316363
+
+signing_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63663030316163346461643134383631316233303861336531316539646239626634326263303734
+  3366623434636134396637663263333964343761646465370a393130323033626236313534656336
+  37353661613066333539393838323465303230393233383461353565363536333035303433316530
+  6535343039383963650a626164333831313037386664646632383434313733663534616661333139
+  38323464356130343833623134343533353430373839656435393262623133646631353733646635
+  66383532393864323935376565313864616135373332386330323463303531393936353364363838
+  343336396530343765363363623761336636