From fe8529bfa93be6a62d4e9eb15633cbc1480f35b8 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Tue, 29 Oct 2024 15:34:38 +0500 Subject: [PATCH] Add arguments for synapse role, fix federation - Add role arguments - Open port 8448 for s2s connections - Make openid and turn server optional --- roles/haproxy/files/haproxy.cfg | 2 +- roles/haproxy/tasks/main.yml | 7 ++- roles/synapse/meta/argument_specs.yml | 55 +++++++++++++++++++ roles/synapse/tasks/main.yml | 50 ++++++++++++++++- roles/synapse/tasks/synapse.yml | 48 ---------------- .../log.config => templates/log.config.j2} | 4 +- roles/synapse/templates/synapse.yaml.j2 | 40 +++++++++----- roles/synapse/vars/main.yml | 13 +++++ synapse.yml | 6 ++ 9 files changed, 155 insertions(+), 70 deletions(-) create mode 100644 roles/synapse/meta/argument_specs.yml delete mode 100644 roles/synapse/tasks/synapse.yml rename roles/synapse/{files/log.config => templates/log.config.j2} (88%) create mode 100644 roles/synapse/vars/main.yml diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg index fe1eee9..5f94d98 100644 --- a/roles/haproxy/files/haproxy.cfg +++ b/roles/haproxy/files/haproxy.cfg @@ -93,7 +93,7 @@ frontend www use_backend mta_sts if host_mta_sts frontend matrix-federation - bind *:8448 ssl crt /usr/local/etc/haproxy/certs + bind :8448 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index c1a32b9..e56e818 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -60,9 +60,10 @@ sysctls: net.ipv4.ip_unprivileged_port_start: 0 ports: - - 80:80 - - 389:389 - - 443:443 + - "80:80" + - "389:389" + - "443:443" + - "8448:8448" restart_policy: unless-stopped - name: Reload haproxy become: true diff --git a/roles/synapse/meta/argument_specs.yml b/roles/synapse/meta/argument_specs.yml new file mode 100644 index 0000000..24a4a5f --- /dev/null +++ b/roles/synapse/meta/argument_specs.yml @@ -0,0 +1,55 @@ +--- +argument_specs: + main: + options: + server_name: + type: str + required: true + postgresql_dbname: + type: str + default: matrix-synapse + postgresql_host: + type: str + default: postgresql + postgresql_user: + type: str + default: matrix-synapse + postgresql_password: + type: str + required: true + postgresql_conn_max: + type: int + turn_uris: + type: list + elements: str + turn_shared_secret: + type: str + openid_scopes: + type: list + elements: str + default: ["openid", "profile", "email"] + openid_discover: + type: bool + default: true + openid_client_id: + type: str + openid_client_secret: + type: str + openid_issuer_url: + type: str + openid_idp_id: + type: str + description: Unique identifier for the login method + default: openid + openid_idp_name: + type: str + description: Name of login method + default: OpenID + openid_localpart_template: + type: str + default: "user.preferred_username" + openid_display_name_template: + type: str + default: "user.name|capitalize" + log_level: + type: str diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml index 26b22b7..6393743 100644 --- a/roles/synapse/tasks/main.yml +++ b/roles/synapse/tasks/main.yml @@ -1,2 +1,50 @@ --- -- import_tasks: synapse.yml +- name: Create synapse volume + become: true + community.docker.docker_volume: + name: synapse +- name: Create root-owned synapse config dir + become: true + ansible.builtin.file: + path: /etc/synapse + state: directory + mode: "1700" + owner: root +- name: Create nested synapse config dir owned by synapse user + become: true + ansible.builtin.file: + path: /etc/synapse/_data + state: directory + mode: "1700" + owner: "991" +- name: Copy synapse config + become: true + ansible.builtin.template: + src: synapse.yaml.j2 + dest: /etc/synapse/_data/homeserver.yaml + owner: "991" + mode: "0600" + register: serverconf +- name: Copy synapse log config + become: true + ansible.builtin.template: + src: log.config.j2 + dest: /etc/synapse/_data/log.config + owner: "991" + mode: "0600" + register: logconf +- name: Create synapse container + become: true + community.docker.docker_container: + name: synapse + image: matrixdotorg/synapse:v1.116.0 + volumes: + - synapse:/data + - /etc/synapse/_data:/etc/synapse:ro + env: + SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml + networks: + - name: postgresql + - name: haproxy + restart_policy: unless-stopped + recreate: "{{ serverconf.changed or logconf.changed }}" diff --git a/roles/synapse/tasks/synapse.yml b/roles/synapse/tasks/synapse.yml deleted file mode 100644 index f27fc24..0000000 --- a/roles/synapse/tasks/synapse.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- name: Create synapse volume - become: true - community.docker.docker_volume: - name: synapse -- name: Create synapse config dir - become: true - ansible.builtin.file: - path: /etc/synapse - state: directory - mode: '1755' - owner: root - group: root -- name: Copy synapse config - become: true - ansible.builtin.template: - src: synapse.yaml.j2 - dest: /etc/synapse/homeserver.yaml - owner: root - group: root - mode: '0664' - register: serverconf -- name: Copy synapse log config - become: true - ansible.builtin.copy: - src: log.config - dest: /etc/synapse/log.config - owner: root - group: root - mode: '0664' - register: logconf -- name: Create synapse container - become: true - community.docker.docker_container: - name: synapse - image: matrixdotorg/synapse:v1.116.0 - volumes: - - synapse:/data - - /etc/synapse:/etc/synapse:ro - env: - SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml - networks: - - name: postgresql - - name: haproxy - ports: - - 127.0.0.1:3005:8008/tcp - restart_policy: unless-stopped - recreate: "{{ serverconf.changed or logconf.changed }}" diff --git a/roles/synapse/files/log.config b/roles/synapse/templates/log.config.j2 similarity index 88% rename from roles/synapse/files/log.config rename to roles/synapse/templates/log.config.j2 index 4f23a8a..cf78aa0 100644 --- a/roles/synapse/files/log.config +++ b/roles/synapse/templates/log.config.j2 @@ -13,10 +13,10 @@ loggers: synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. - level: WARNING + level: {{ log_level }} root: - level: WARNING + level: {{ log_level }} handlers: [console] disable_existing_loggers: false diff --git a/roles/synapse/templates/synapse.yaml.j2 b/roles/synapse/templates/synapse.yaml.j2 index ad7cd71..4e85730 100644 --- a/roles/synapse/templates/synapse.yaml.j2 +++ b/roles/synapse/templates/synapse.yaml.j2 @@ -1,4 +1,4 @@ -server_name: "matrix.comfycamp.space" +server_name: "{{ server_name }}" listeners: - port: 8008 tls: false @@ -10,32 +10,42 @@ listeners: database: name: psycopg2 args: - user: matrix-synapse + user: "{{ postgresql_user }}" password: "{{ postgresql_password }}" - dbname: matrix-synapse - host: postgresql - cp_max: 10 + dbname: "{{ postgresql_dbname }}" + host: "{{ postgresql_host }}" + cp_max: {{ postgresql_conn_max }} media_store_path: /data/media_store -signing_key_path: /data/matrix.comfycamp.space.signing.key +signing_key_path: /data/{{ server_name }}.signing.key log_config: /etc/synapse/log.config report_stats: true trusted_key_servers: - server_name: "matrix.org" -turn_uris: [ "turn:turn.comfycamp.space?transport=udp", "turn:turn.comfycamp.space?transport=tcp" ] +{% if turn_uris is defined and turn_shared_secret is defined %} +turn_uris: +{% for uri in turn_uris %} + - {{ uri }} +{% endfor %} turn_shared_secret: "{{ turn_shared_secret }}" turn_user_lifetime: 86400000 turn_allow_guests: true +{% endif %} +{% if openid_client_id is defined and openid_client_secret is defined and openid_issuer_url is defined %} oidc_providers: - - idp_id: authentik - idp_name: Comfy Camp - discover: true - issuer: "https://auth.comfycamp.space/application/o/matrix/" - client_id: 3rORMEeMNLRnaRPssq7s28uerXTna2hZ2Z2TdClp + - idp_id: "{{ openid_idp_id }}" + idp_name: "{{ openid_idp_name }}" + discover: {{ openid_discover }} + issuer: "{{ openid_issuer_url }}" + client_id: "{{ openid_client_id }}" client_secret: "{{ openid_client_secret }}" - scopes: ["openid", "profile", "email"] + scopes: +{% for scope in openid_scopes %} + - {{ scope }} +{% endfor %} user_mapping_provider: config: - localpart_template: "{{ '{{' }} user.preferred_username {{ '}}' }}" - display_name_template: "{{ '{{' }} user.name|capitalize {{ '}}' }}" + localpart_template: "{{ '{{' }} {{ openid_localpart_template }} {{ '}}' }}" + display_name_template: "{{ '{{' }} {{ openid_display_name_template }} {{ '}}' }}" +{% endif %} diff --git a/roles/synapse/vars/main.yml b/roles/synapse/vars/main.yml new file mode 100644 index 0000000..93e74af --- /dev/null +++ b/roles/synapse/vars/main.yml @@ -0,0 +1,13 @@ +postgresql_user: matrix-synapse +postgresql_dbname: matrix-synapse +postgresql_host: postgresql +postgresql_conn_max: 10 + +openid_scopes: ["openid", "profile", "email"] +openid_discover: true +openid_idp_id: openid +openid_idp_name: OpenID +openid_localpart_template: "user.preferred_username" +openid_display_name_template: "user.name|capitalize" + +log_level: WARNING diff --git a/synapse.yml b/synapse.yml index 51757e0..d7d4a4b 100644 --- a/synapse.yml +++ b/synapse.yml @@ -2,6 +2,12 @@ - hosts: webservers roles: - role: synapse + server_name: matrix.comfycamp.space postgresql_password: "{{ postgresql_users['matrix-synapse'] }}" + turn_uris: [ "turn:turn.comfycamp.space?transport=udp", "turn:turn.comfycamp.space?transport=tcp" ] turn_shared_secret: "{{ coturn_static_auth_secret }}" + openid_idp_id: authentik + openid_idp_name: Comfy Camp + openid_issuer_url: https://auth.comfycamp.space/application/o/matrix/ + openid_client_id: 3rORMEeMNLRnaRPssq7s28uerXTna2hZ2Z2TdClp openid_client_secret: "{{ synapse.openid_client_secret }}"