lumin/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add arguments for synapse role, fix federation

Browse source 
- Add role arguments
- Open port 8448 for s2s connections
- Make openid and turn server optional
This commit is contained in:
Ivan R. 2024-10-29 15:34:38 +05:00
parent 80bc38902d
commit fe8529bfa9
Signed by: lumin
GPG key ID: E0937DC7CD6D3817
9 changed files with 155 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/haproxy/files/haproxy.cfg
View file

@ -93,7 +93,7 @@ frontend www
use_backend mta_sts if host_mta_sts use_backend mta_sts if host_mta_sts
frontend matrix-federation frontend matrix-federation
bind *:8448 ssl crt /usr/local/etc/haproxy/certs bind :8448 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

7
roles/haproxy/tasks/main.yml
View file

@ -60,9 +60,10 @@
sysctls: sysctls:
net.ipv4.ip_unprivileged_port_start: 0 net.ipv4.ip_unprivileged_port_start: 0
ports: ports:
- 80:80 - "80:80"
- 389:389 - "389:389"
- 443:443 - "443:443"
- "8448:8448"
restart_policy: unless-stopped restart_policy: unless-stopped
- name: Reload haproxy - name: Reload haproxy
become: true become: true

55
roles/synapse/meta/argument_specs.yml Normal file
View file

@ -0,0 +1,55 @@
---
argument_specs:
main:
options:
server_name:
type: str
required: true
postgresql_dbname:
type: str
default: matrix-synapse
postgresql_host:
type: str
default: postgresql
postgresql_user:
type: str
default: matrix-synapse
postgresql_password:
type: str
required: true
postgresql_conn_max:
type: int
turn_uris:
type: list
elements: str
turn_shared_secret:
type: str
openid_scopes:
type: list
elements: str
default: ["openid", "profile", "email"]
openid_discover:
type: bool
default: true
openid_client_id:
type: str
openid_client_secret:
type: str
openid_issuer_url:
type: str
openid_idp_id:
type: str
description: Unique identifier for the login method
default: openid
openid_idp_name:
type: str
description: Name of login method
default: OpenID
openid_localpart_template:
type: str
default: "user.preferred_username"
openid_display_name_template:
type: str
default: "user.name|capitalize"
log_level:
type: str

50
roles/synapse/tasks/main.yml
View file

@ -1,2 +1,50 @@
--- ---
- import_tasks: synapse.yml - name: Create synapse volume
become: true
community.docker.docker_volume:
name: synapse
- name: Create root-owned synapse config dir
become: true
ansible.builtin.file:
path: /etc/synapse
state: directory
mode: "1700"
owner: root
- name: Create nested synapse config dir owned by synapse user
become: true
ansible.builtin.file:
path: /etc/synapse/_data
state: directory
mode: "1700"
owner: "991"
- name: Copy synapse config
become: true
ansible.builtin.template:
src: synapse.yaml.j2
dest: /etc/synapse/_data/homeserver.yaml
owner: "991"
mode: "0600"
register: serverconf
- name: Copy synapse log config
become: true
ansible.builtin.template:
src: log.config.j2
dest: /etc/synapse/_data/log.config
owner: "991"
mode: "0600"
register: logconf
- name: Create synapse container
become: true
community.docker.docker_container:
name: synapse
image: matrixdotorg/synapse:v1.116.0
volumes:
- synapse:/data
- /etc/synapse/_data:/etc/synapse:ro
env:
SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml
networks:
- name: postgresql
- name: haproxy
restart_policy: unless-stopped
recreate: "{{ serverconf.changed or logconf.changed }}"

48
roles/synapse/tasks/synapse.yml
View file

@ -1,48 +0,0 @@
---
- name: Create synapse volume
become: true
community.docker.docker_volume:
name: synapse
- name: Create synapse config dir
become: true
ansible.builtin.file:
path: /etc/synapse
state: directory
mode: '1755'
owner: root
group: root
- name: Copy synapse config
become: true
ansible.builtin.template:
src: synapse.yaml.j2
dest: /etc/synapse/homeserver.yaml
owner: root
group: root
mode: '0664'
register: serverconf
- name: Copy synapse log config
become: true
ansible.builtin.copy:
src: log.config
dest: /etc/synapse/log.config
owner: root
group: root
mode: '0664'
register: logconf
- name: Create synapse container
become: true
community.docker.docker_container:
name: synapse
image: matrixdotorg/synapse:v1.116.0
volumes:
- synapse:/data
- /etc/synapse:/etc/synapse:ro
env:
SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml
networks:
- name: postgresql
- name: haproxy
ports:
- 127.0.0.1:3005:8008/tcp
restart_policy: unless-stopped
recreate: "{{ serverconf.changed or logconf.changed }}"

4
roles/synapse/files/log.config → roles/synapse/templates/log.config.j2
View file

@ -13,10 +13,10 @@ loggers:
synapse.storage.SQL: synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive # beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens. # information such as access tokens.
level: WARNING level: {{ log_level }}
root: root:
level: WARNING level: {{ log_level }}
handlers: [console] handlers: [console]
disable_existing_loggers: false disable_existing_loggers: false

40
roles/synapse/templates/synapse.yaml.j2
View file

@ -1,4 +1,4 @@
server_name: "matrix.comfycamp.space" server_name: "{{ server_name }}"
listeners: listeners:
- port: 8008 - port: 8008
tls: false tls: false
@ -10,32 +10,42 @@ listeners:
database: database:
name: psycopg2 name: psycopg2
args: args:
user: matrix-synapse user: "{{ postgresql_user }}"
password: "{{ postgresql_password }}" password: "{{ postgresql_password }}"
dbname: matrix-synapse dbname: "{{ postgresql_dbname }}"
host: postgresql host: "{{ postgresql_host }}"
cp_max: 10 cp_max: {{ postgresql_conn_max }}
media_store_path: /data/media_store media_store_path: /data/media_store
signing_key_path: /data/matrix.comfycamp.space.signing.key signing_key_path: /data/{{ server_name }}.signing.key
log_config: /etc/synapse/log.config log_config: /etc/synapse/log.config
report_stats: true report_stats: true
trusted_key_servers: trusted_key_servers:
- server_name: "matrix.org" - server_name: "matrix.org"
turn_uris: [ "turn:turn.comfycamp.space?transport=udp", "turn:turn.comfycamp.space?transport=tcp" ] {% if turn_uris is defined and turn_shared_secret is defined %}
turn_uris:
{% for uri in turn_uris %}
- {{ uri }}
{% endfor %}
turn_shared_secret: "{{ turn_shared_secret }}" turn_shared_secret: "{{ turn_shared_secret }}"
turn_user_lifetime: 86400000 turn_user_lifetime: 86400000
turn_allow_guests: true turn_allow_guests: true
{% endif %}
{% if openid_client_id is defined and openid_client_secret is defined and openid_issuer_url is defined %}
oidc_providers: oidc_providers:
- idp_id: authentik - idp_id: "{{ openid_idp_id }}"
idp_name: Comfy Camp idp_name: "{{ openid_idp_name }}"
discover: true discover: {{ openid_discover }}
issuer: "https://auth.comfycamp.space/application/o/matrix/" issuer: "{{ openid_issuer_url }}"
client_id: 3rORMEeMNLRnaRPssq7s28uerXTna2hZ2Z2TdClp client_id: "{{ openid_client_id }}"
client_secret: "{{ openid_client_secret }}" client_secret: "{{ openid_client_secret }}"
scopes: ["openid", "profile", "email"] scopes:
{% for scope in openid_scopes %}
- {{ scope }}
{% endfor %}
user_mapping_provider: user_mapping_provider:
config: config:
localpart_template: "{{ '{{' }} user.preferred_username {{ '}}' }}" localpart_template: "{{ '{{' }} {{ openid_localpart_template }} {{ '}}' }}"
display_name_template: "{{ '{{' }} user.name|capitalize {{ '}}' }}" display_name_template: "{{ '{{' }} {{ openid_display_name_template }} {{ '}}' }}"
{% endif %}

13
roles/synapse/vars/main.yml Normal file
View file

@ -0,0 +1,13 @@
postgresql_user: matrix-synapse
postgresql_dbname: matrix-synapse
postgresql_host: postgresql
postgresql_conn_max: 10
openid_scopes: ["openid", "profile", "email"]
openid_discover: true
openid_idp_id: openid
openid_idp_name: OpenID
openid_localpart_template: "user.preferred_username"
openid_display_name_template: "user.name|capitalize"
log_level: WARNING

6
synapse.yml
View file

@ -2,6 +2,12 @@
- hosts: webservers - hosts: webservers
roles: roles:
- role: synapse - role: synapse
server_name: matrix.comfycamp.space
postgresql_password: "{{ postgresql_users['matrix-synapse'] }}" postgresql_password: "{{ postgresql_users['matrix-synapse'] }}"
turn_uris: [ "turn:turn.comfycamp.space?transport=udp", "turn:turn.comfycamp.space?transport=tcp" ]
turn_shared_secret: "{{ coturn_static_auth_secret }}" turn_shared_secret: "{{ coturn_static_auth_secret }}"
openid_idp_id: authentik
openid_idp_name: Comfy Camp
openid_issuer_url: https://auth.comfycamp.space/application/o/matrix/
openid_client_id: 3rORMEeMNLRnaRPssq7s28uerXTna2hZ2Z2TdClp
openid_client_secret: "{{ synapse.openid_client_secret }}" openid_client_secret: "{{ synapse.openid_client_secret }}"