From b424f60e75b33e08b34ed0962aef9559698faa73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 30 Jul 2018 16:56:33 +0200 Subject: [PATCH 001/167] moved role out of matrix-ansible --- README.md | 38 ++ defaults/main.yml | 20 ++ handlers/main.yml | 11 + meta/main.yml | 16 + tasks/configure.yml | 81 +++++ tasks/deployment.yml | 65 ++++ tasks/main.yml | 9 + tasks/systemd.yml | 8 + templates/01-synapse.j2 | 8 + templates/homeserver.yaml.j2 | 540 ++++++++++++++++++++++++++++ templates/log.config.j2 | 29 ++ templates/matrix-synapse.service.j2 | 18 + 12 files changed, 843 insertions(+) create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/configure.yml create mode 100644 tasks/deployment.yml create mode 100644 tasks/main.yml create mode 100644 tasks/systemd.yml create mode 100644 templates/01-synapse.j2 create mode 100644 templates/homeserver.yaml.j2 create mode 100644 templates/log.config.j2 create mode 100644 templates/matrix-synapse.service.j2 diff --git a/README.md b/README.md new file mode 100644 index 0000000..2f155b6 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +matrix-synapse +============== + +Install a matrix synapse server. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +Apache 2.0 + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..aa048e6 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,20 @@ +--- +matrix_synapse_tls_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.crt" +matrix_synapse_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" +matrix_synapse_dh_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" +matrix_synapse_server_name: "{{ matrix_synapse_domain }}" +matrix_synapse_baseurl: "https://{{ matrix_synapse_domain }}" +matrix_synapse_port_prefix: 100 +matrix_synapse_pg_pass: "{{ matrix_pg_pass }}" +matrix_synapse_pg_user: "{{ matrix_pg_user }}" +matrix_synapse_pg_db: "{{ matrix_pg_db }}" +matrix_synapse_pg_host: "{{ matrix_pg_host }}" +matrix_synapse_log_config: "/opt/synapse/{{ matrix_synapse_domain }}.log.config" +matrix_synapse_media_store_path: "/opt/synapse/media_store" +matrix_synapse_uploads_path: "/opt/synapse/uploads" +matrix_synapse_turn_secret: "{{ matrix_turn_secret }}" +matrix_synapse_turn_uri: "{{ matrix_turn_uri }}" +matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" +matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" +matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" +matrix_synapse_version: "v0.28.1" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..703ff33 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: "reload systemd" + systemd: + daemon_reload: yes + +- name: "restart matrix-synapse" + service: + name: "matrix-synapse" + state: restarted + enabled: yes + diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a108ae7 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,16 @@ +galaxy_info: + author: michaelkaye + description: Deploys a synapse server + + license: Apache 2.0 + + min_ansible_version: 2.0 + + platforms: + - name: Debian + versions: + - jessie + + galaxy_tags: [] + +dependencies: [] diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..7ab3f7e --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,81 @@ +--- +- name: Create directory for media storage + file: + name: /opt/synapse/media_store + state: directory + owner: synapse + group: synapse + +- name: Create directory for uploads + file: + name: /opt/synapse/uploads + state: directory + owner: synapse + group: synapse + +- name: Create directory for SSL files + file: + name: /opt/synapse/ssl + state: directory + owner: synapse + group: synapse + +- name: Create signing key + shell: /opt/synapse/env/bin/python -c "from signedjson import key; file = open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w'); key.write_signing_keys(file, [key.generate_signing_key('first')]); file.close()" + args: + creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key + become: true + become_user: synapse + notify: + - "restart synapse" + +- name: create logging folder + file: + name: /var/log/synapse/ + state: directory + owner: synapse + group: synapse + +- name: Deploy log config + template: + src: "log.config.j2" + dest: "/opt/synapse/log.config" + owner: synapse + group: synapse + notify: + - "restart synapse" + +- name: Deploy config + template: + src: "homeserver.yaml.j2" + dest: "/opt/synapse/homeserver.yaml" + owner: synapse + group: synapse + notify: + - "restart synapse" + +- name: ensure hook directory available + file: + name: /etc/letsencrypt/renewal-hooks/deploy/ + state: directory + +- name: template ssl post-renewal copier into place + template: + src: 01-synapse.j2 + dest: /etc/letsencrypt/renewal-hooks/deploy/01-synapse + mode: 0700 + register: ssl_renewal + +- name: run post-renewal copier + command: /etc/letsencrypt/renewal-hooks/deploy/01-synapse + when: ssl_renewal.changed + tags: + - skip_ansible_lint # because of the when clause + +- name: create DH parameters + command: openssl dhparam -out ssl/{{ matrix_synapse_domain }}.dh 2048 + args: + creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.dh + chdir: /opt/synapse + become_user: synapse + become: true diff --git a/tasks/deployment.yml b/tasks/deployment.yml new file mode 100644 index 0000000..371e0ee --- /dev/null +++ b/tasks/deployment.yml @@ -0,0 +1,65 @@ +--- +- name: create user + user: + name: synapse + state: present + +- name: create directory + file: + name: /opt/synapse + state: directory + owner: synapse + group: synapse + +- name: Install dependencies + apt: + name: "{{ item }}" + state: present + with_items: + - build-essential + - python2.7-dev + - libffi-dev + - python-pip + - python-setuptools + - sqlite3 + - libssl-dev + - python-virtualenv + - libjpeg-dev + - libxslt1-dev + - git + - libpq-dev + +- name: Create virtualenv + pip: + name: + - pip + - setuptools + - lxml + - psycopg2-binary + - mock + virtualenv: /opt/synapse/env + virtualenv_python: python2.7 + extra_args: --upgrade + become: true + become_user: synapse + +- name: Clone synapse + git: + repo: https://github.com/matrix-org/synapse + dest: /opt/synapse/synapse + accept_hostkey: yes + version: "{{ matrix_synapse_version }}" + become_user: synapse + become: true + register: clone_synapse + +- name: Install Synapse + pip: + name: /opt/synapse/synapse + virtualenv: /opt/synapse/env + virtualenv_python: python2.7 + become_user: synapse + become: true + when: clone_synapse.changed + tags: + - skip_ansible_lint # skip when clause diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..3bb19c3 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: deploy synapse + import_tasks: deployment.yml + +- name: configure synapse + import_tasks: configure.yml + +- name: configure service + import_tasks: systemd.yml diff --git a/tasks/systemd.yml b/tasks/systemd.yml new file mode 100644 index 0000000..19e8ea9 --- /dev/null +++ b/tasks/systemd.yml @@ -0,0 +1,8 @@ +--- +- name: Deploy service file + template: + src: "matrix-synapse.service.j2" + dest: "/etc/systemd/system/matrix-synapse.service" + notify: + - "reload systemd" + - "restart matrix-synapse" diff --git a/templates/01-synapse.j2 b/templates/01-synapse.j2 new file mode 100644 index 0000000..9a38fc8 --- /dev/null +++ b/templates/01-synapse.j2 @@ -0,0 +1,8 @@ +#!/bin/bash +mkdir -p /opt/synapse/ssl/ +chown synapse:synapse /opt/synapse/ssl +cp /etc/letsencrypt/live/{{ matrix_synapse_domain }}/fullchain.pem /opt/synapse/ssl/{{ matrix_synapse_domain }}.crt +chown synapse:synapse /opt/synapse/ssl/{{ matrix_synapse_domain }}.crt +cp /etc/letsencrypt/live/{{ matrix_synapse_domain }}/privkey.pem /opt/synapse/ssl/{{ matrix_synapse_domain }}.key +chown synapse:synapse /opt/synapse/ssl/{{ matrix_synapse_domain }}.key +service matrix-synapse restart diff --git a/templates/homeserver.yaml.j2 b/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..6f4740f --- /dev/null +++ b/templates/homeserver.yaml.j2 @@ -0,0 +1,540 @@ +# vim:ft=yaml +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "{{ matrix_synapse_tls_path }}" + +# PEM encoded private key for TLS +tls_private_key_path: "{{ matrix_synapse_key_path }}" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "{{ matrix_synapse_dh_path }}" + +# Don't bind to the https port +no_tls: False + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handle directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] + + +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +server_name: "{{ matrix_synapse_server_name }}" + +# When running as a daemon, the file to store the pid in +pid_file: /opt/synapse/var/run/homeserver.pid + +# CPU affinity mask. Setting this restricts the CPUs on which the +# process will be scheduled. It is represented as a bitmask, with the +# lowest order bit corresponding to the first logical CPU and the +# highest order bit corresponding to the last logical CPU. Not all CPUs +# may exist on a given system but a mask may specify more CPUs than are +# present. +# +# For example: +# 0x00000001 is processor #0, +# 0x00000003 is processors #0 and #1, +# 0xFFFFFFFF is all processors (#0 through #31). +# +# Pinning a Python process to a single CPU is desirable, because Python +# is inherently single-threaded due to the GIL, and can suffer a +# 30-40% slowdown due to cache blow-out and thread context switching +# if the scheduler happens to schedule the underlying threads across +# different cores. See +# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. +# +# cpu_affinity: 0xFFFFFFFF + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: false + +# The root directory to server for the above web client. +# If left undefined, synapse will serve the matrix-angular-sdk web client. +# Make sure matrix-angular-sdk is installed with pip if web_client is True +# and web_client_location is undefined +# web_client_location: "/path/to/web/root" + +# The public-facing base URL for the client API (not including _matrix/...) +public_baseurl: {{ matrix_synapse_baseurl }} + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# block_non_admin_invites: True + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: {{ matrix_synapse_port_prefix }}01 + tls: false + bind_addresses: ['127.0.0.1'] + type: http + + x_forwarded: false + + resources: + - names: [client, webclient] + compress: false + - names: [federation] + compress: false + + +# Database configuration +database: + # The database engine name + name: "psycopg2" + # Arguments to pass to the engine + args: + user: "{{ matrix_synapse_pg_user }}" + password: "{{ matrix_synapse_pg_pass }}" + database: "{{ matrix_synapse_pg_db }}" + host: "{{ matrix_synapse_pg_host }}" + cp_min: 5 + cp_max: 10 + +# Number of events to cache in memory. +event_cache_size: "10K" + +# A yaml python logging config file +log_config: "{{ matrix_synapse_log_config }}" + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + +# Directory where uploaded images and attachments are stored. +media_store_path: "{{ matrix_synapse_media_store_path }}" + +# A secondary directory where uploaded images and attachments are +# stored as a backup. +# backup_media_store_path: "/opt/synapse/media_store" + +# Whether to wait for successful write to backup media store before +# returning successfully. +# synchronous_backup_media_store: false + +# Directory where in-progress uploads are stored. +uploads_path: "{{ matrix_synapse_uploads_path }}" + +# The largest allowed upload size in bytes +max_upload_size: "10M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: False + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: ["{{ matrix_synapse_turn_uri}}"] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: "{{ matrix_synapse_turn_secret}}" + +# The Username and password if the TURN server needs them and +# does not use a token +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +turn_allow_guests: True + + +## Registration ## + +# Enable registration for new users. +enable_registration: True + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: "{{ matrix_synapse_registration_secret }}" + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number of rounds is 12. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: False + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + - riot.im + +# Users who register on this homeserver will automatically be joined +# to these rooms +#auto_join_rooms: +# - "#example:example.com" + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False +report_stats: False + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: [] + + +macaroon_secret_key: "{{ matrix_macaroon_key }}" + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "{{ matrix_synapse_signing_key_path }}" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/home/tadhack/sp_conf.py" +# idp_redirect_url: "http://tadhack/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + + + +# Enable sending emails for notification events +# Defining a custom URL for Riot is only needed if email notifications +# should contain links to a self-hosted installation of Riot; when set +# the "app_name" setting is ignored. +# +# If your SMTP server requires authentication, the optional smtp_user & +# smtp_pass variables should be used +# +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# smtp_user: "exampleusername" +# smtp_pass: "examplepassword" +# require_transport_security: False +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True +# riot_base_url: "http://localhost/riot" + + +# password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. + +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +# spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' + + +# Whether to allow non server admins to create groups on this server +enable_group_creation: false + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to run +# UPDATE user_directory_stream_pos SET stream_id = NULL; +# on your database to tell it to rebuild the user_directory search indexes. +# +#user_directory: +# search_all_users: false diff --git a/templates/log.config.j2 b/templates/log.config.j2 new file mode 100644 index 0000000..b5c907c --- /dev/null +++ b/templates/log.config.j2 @@ -0,0 +1,29 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + handlers: [console] diff --git a/templates/matrix-synapse.service.j2 b/templates/matrix-synapse.service.j2 new file mode 100644 index 0000000..67177b3 --- /dev/null +++ b/templates/matrix-synapse.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description="Matrix Synapse Server (synapse)" + +[Service] +Type=simple +WorkingDirectory=/opt/synapse +ExecStart=/opt/synapse/env/bin/python -m synapse.app.homeserver --config-path=/opt/synapse/homeserver.yaml --log-config=/opt/synapse/log.config +ExecStop=/opt/synapse/env/bin/synctl stop /opt/synapse/homeserver.yaml +User=synapse +Group=synapse +Restart=always +StandardOut=syslog +SyslogIdentifier=matrix-synapse +SyslogFacility=local3 + +[Install] +WantedBy=default.target + From 33609b4076c8f421f09686e03b2170a32325aa52 Mon Sep 17 00:00:00 2001 From: Michael Kaye <1917473+michaelkaye@users.noreply.github.com> Date: Fri, 17 Aug 2018 14:40:32 +0100 Subject: [PATCH 002/167] Add a pre_install tag for operations that are generic --- tasks/deployment.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 371e0ee..0ff5a82 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -3,6 +3,8 @@ user: name: synapse state: present + tags: + - pre_install - name: create directory file: @@ -10,6 +12,8 @@ state: directory owner: synapse group: synapse + tags: + - pre_install - name: Install dependencies apt: @@ -28,6 +32,8 @@ - libxslt1-dev - git - libpq-dev + tags: + - pre_install - name: Create virtualenv pip: @@ -42,6 +48,8 @@ extra_args: --upgrade become: true become_user: synapse + tags: + - pre_install - name: Clone synapse git: @@ -52,6 +60,8 @@ become_user: synapse become: true register: clone_synapse + tags: + - pre_install - name: Install Synapse pip: @@ -63,3 +73,5 @@ when: clone_synapse.changed tags: - skip_ansible_lint # skip when clause + - pre_install + From 058665e36b8eb229fd03dfa73e819f574a359e25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 17 Aug 2018 16:22:08 +0200 Subject: [PATCH 003/167] rotate logs --- defaults/main.yml | 1 + files/matrix_synapse.conf | 2 ++ handlers/main.yml | 5 +++++ tasks/configure.yml | 12 ++++++++++++ templates/log.config.j2 | 2 +- templates/logrotate.j2 | 9 +++++++++ templates/matrix-synapse.service.j2 | 6 ++---- 7 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 files/matrix_synapse.conf create mode 100644 templates/logrotate.j2 diff --git a/defaults/main.yml b/defaults/main.yml index aa048e6..f0e01f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,3 +18,4 @@ matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" matrix_synapse_version: "v0.28.1" +matrix_synapse_log_days_keep: 30 diff --git a/files/matrix_synapse.conf b/files/matrix_synapse.conf new file mode 100644 index 0000000..82a783d --- /dev/null +++ b/files/matrix_synapse.conf @@ -0,0 +1,2 @@ +if $programname == 'matrix_synapse' then /var/log/matrix_synapse/matrix_synapse.log +if $programname == 'matrix_synapse' then ~ diff --git a/handlers/main.yml b/handlers/main.yml index 703ff33..f37861a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -9,3 +9,8 @@ state: restarted enabled: yes +- name: restart rsyslog + become: yes + service: + name: rsyslog + state: restarted diff --git a/tasks/configure.yml b/tasks/configure.yml index 7ab3f7e..940ff93 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -36,6 +36,18 @@ owner: synapse group: synapse +- name: copy syslog config + copy: + src: matrix_synapse.conf + dest: /etc/rsyslog.d/matrix_synapse.conf + owner: root + notify: restart rsyslog + +- name: template logrotate config + template: + src: logrotate.j2 + dest: /etc/logrotate.d/matrix_synapse + - name: Deploy log config template: src: "log.config.j2" diff --git a/templates/log.config.j2 b/templates/log.config.j2 index b5c907c..c40da9b 100644 --- a/templates/log.config.j2 +++ b/templates/log.config.j2 @@ -2,7 +2,7 @@ version: 1 formatters: precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' filters: context: diff --git a/templates/logrotate.j2 b/templates/logrotate.j2 new file mode 100644 index 0000000..3e66ac2 --- /dev/null +++ b/templates/logrotate.j2 @@ -0,0 +1,9 @@ +/var/log/matrix_synapse/matrix_synapse.log { + daily + rotate {{ matrix_synapse_log_days_keep }} + compress + shred + postrotate + /usr/bin/pkill -HUP rsyslogd + endscript +} diff --git a/templates/matrix-synapse.service.j2 b/templates/matrix-synapse.service.j2 index 67177b3..f9dd57e 100644 --- a/templates/matrix-synapse.service.j2 +++ b/templates/matrix-synapse.service.j2 @@ -9,10 +9,8 @@ ExecStop=/opt/synapse/env/bin/synctl stop /opt/synapse/homeserver.yaml User=synapse Group=synapse Restart=always -StandardOut=syslog -SyslogIdentifier=matrix-synapse -SyslogFacility=local3 +StandardOutput=syslog +SyslogIdentifier=matrix_synapse [Install] WantedBy=default.target - From 6fcef77b3ba37c4f6ab5ae6cd8f2b19af724d431 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:10:29 +0100 Subject: [PATCH 004/167] Increase installation speed apt is no longer called for every package --- tasks/deployment.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 0ff5a82..1ce81fa 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -17,22 +17,22 @@ - name: Install dependencies apt: - name: "{{ item }}" + name: + - build-essential + - python2.7-dev + - libffi-dev + - python-pip + - python-setuptools + - sqlite3 + - libssl-dev + - python-virtualenv + - libjpeg-dev + - libxslt1-dev + - git + - libpq-dev state: present - with_items: - - build-essential - - python2.7-dev - - libffi-dev - - python-pip - - python-setuptools - - sqlite3 - - libssl-dev - - python-virtualenv - - libjpeg-dev - - libxslt1-dev - - git - - libpq-dev - tags: + cache_valid_time: 1800 + tags: - pre_install - name: Create virtualenv From 72cd8744c2fac24a89254aaf365421039a285550 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:12:30 +0100 Subject: [PATCH 005/167] Extract logging configuration to separate play --- tasks/configure.yml | 29 ++--------------------------- tasks/logging.yml | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 27 deletions(-) create mode 100644 tasks/logging.yml diff --git a/tasks/configure.yml b/tasks/configure.yml index 940ff93..5da910f 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -29,33 +29,6 @@ notify: - "restart synapse" -- name: create logging folder - file: - name: /var/log/synapse/ - state: directory - owner: synapse - group: synapse - -- name: copy syslog config - copy: - src: matrix_synapse.conf - dest: /etc/rsyslog.d/matrix_synapse.conf - owner: root - notify: restart rsyslog - -- name: template logrotate config - template: - src: logrotate.j2 - dest: /etc/logrotate.d/matrix_synapse - -- name: Deploy log config - template: - src: "log.config.j2" - dest: "/opt/synapse/log.config" - owner: synapse - group: synapse - notify: - - "restart synapse" - name: Deploy config template: @@ -66,6 +39,8 @@ notify: - "restart synapse" +- name: Configure logging + import_tasks: logging.yml - name: ensure hook directory available file: name: /etc/letsencrypt/renewal-hooks/deploy/ diff --git a/tasks/logging.yml b/tasks/logging.yml new file mode 100644 index 0000000..32ba818 --- /dev/null +++ b/tasks/logging.yml @@ -0,0 +1,30 @@ +--- +- name: create logging folder + file: + name: /var/log/synapse/ + state: directory + owner: synapse + group: synapse + +- name: copy syslog config + copy: + src: matrix_synapse.conf + dest: /etc/rsyslog.d/matrix_synapse.conf + owner: root + notify: restart rsyslog + +- name: template logrotate config + template: + src: logrotate.j2 + dest: /etc/logrotate.d/matrix_synapse + +- name: Deploy log config + template: + src: "log.config.j2" + dest: "/opt/synapse/log.config" + owner: synapse + group: synapse + notify: + - "restart synapse" + + From 3240f5df73182e988be69cec35fc7b314e0bfcb9 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:16:49 +0100 Subject: [PATCH 006/167] Consolidate directory creation to a single loop --- tasks/configure.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 5da910f..15ca56b 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,24 +1,14 @@ --- - name: Create directory for media storage file: - name: /opt/synapse/media_store - state: directory - owner: synapse - group: synapse - -- name: Create directory for uploads - file: - name: /opt/synapse/uploads - state: directory - owner: synapse - group: synapse - -- name: Create directory for SSL files - file: - name: /opt/synapse/ssl + name: "/opt/synapse/{{ item }}" state: directory owner: synapse group: synapse + loop: + - media_store + - uploads + - ssl - name: Create signing key shell: /opt/synapse/env/bin/python -c "from signedjson import key; file = open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w'); key.write_signing_keys(file, [key.generate_signing_key('first')]); file.close()" From 682b55e7977ff82c0dd465a6195de79f2d5d39cf Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:25:20 +0100 Subject: [PATCH 007/167] Extract letsencrypt operations to a separate play --- defaults/main.yml | 1 + tasks/configure.yml | 23 ++++------------------- tasks/letsencrypt.yml | 26 ++++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 tasks/letsencrypt.yml diff --git a/defaults/main.yml b/defaults/main.yml index f0e01f9..2ef4d77 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,3 +19,4 @@ matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" matrix_synapse_version: "v0.28.1" matrix_synapse_log_days_keep: 30 +matrix_synapse_skip_letsencrypt: false diff --git a/tasks/configure.yml b/tasks/configure.yml index 15ca56b..c4ecdac 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -31,28 +31,13 @@ - name: Configure logging import_tasks: logging.yml -- name: ensure hook directory available - file: - name: /etc/letsencrypt/renewal-hooks/deploy/ - state: directory -- name: template ssl post-renewal copier into place - template: - src: 01-synapse.j2 - dest: /etc/letsencrypt/renewal-hooks/deploy/01-synapse - mode: 0700 - register: ssl_renewal - -- name: run post-renewal copier - command: /etc/letsencrypt/renewal-hooks/deploy/01-synapse - when: ssl_renewal.changed - tags: - - skip_ansible_lint # because of the when clause - -- name: create DH parameters - command: openssl dhparam -out ssl/{{ matrix_synapse_domain }}.dh 2048 args: creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.dh chdir: /opt/synapse become_user: synapse become: true + +- name: Use letsencrypt certificate + include_tasks: letsencrypt.yml + when: not skip_letsencrypt diff --git a/tasks/letsencrypt.yml b/tasks/letsencrypt.yml new file mode 100644 index 0000000..3e4a4df --- /dev/null +++ b/tasks/letsencrypt.yml @@ -0,0 +1,26 @@ +--- +- name: ensure hook directory available + file: + name: /etc/letsencrypt/renewal-hooks/deploy/ + state: directory + +- name: template ssl post-renewal copier into place + template: + src: 01-synapse.j2 + dest: /etc/letsencrypt/renewal-hooks/deploy/01-synapse + mode: 0700 + register: ssl_renewal + +- name: run post-renewal copier + command: /etc/letsencrypt/renewal-hooks/deploy/01-synapse + when: ssl_renewal.changed + tags: + - skip_ansible_lint # because of the when clause + +- name: create DH parameters + command: openssl dhparam -out ssl/{{ matrix_synapse_domain }}.dh 2048 + args: + creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.dh + chdir: /opt/synapse + become_user: synapse + become: true From 6105d69c7bdf15f123dad74f12a3d982ad072f1a Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:25:50 +0100 Subject: [PATCH 008/167] Improve python shell call --- tasks/configure.yml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index c4ecdac..a698ace 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -10,16 +10,6 @@ - uploads - ssl -- name: Create signing key - shell: /opt/synapse/env/bin/python -c "from signedjson import key; file = open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w'); key.write_signing_keys(file, [key.generate_signing_key('first')]); file.close()" - args: - creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key - become: true - become_user: synapse - notify: - - "restart synapse" - - - name: Deploy config template: src: "homeserver.yaml.j2" @@ -32,11 +22,19 @@ - name: Configure logging import_tasks: logging.yml +- name: Create signing key + shell: > + /opt/synapse/env/bin/python -c " + from signedjson import key; + with open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w') as file: + key.write_signing_keys(file, [key.generate_signing_key('first')]); + " args: - creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.dh - chdir: /opt/synapse - become_user: synapse + creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key become: true + become_user: synapse + notify: + - "restart synapse" - name: Use letsencrypt certificate include_tasks: letsencrypt.yml From cd1eb9e4d0e20320291e83c5c6b03838ff3a51ce Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:30:23 +0100 Subject: [PATCH 009/167] letsencrypt ain't that of a good name --- defaults/main.yml | 2 +- tasks/configure.yml | 4 ++-- tasks/{letsencrypt.yml => ssl.yml} | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename tasks/{letsencrypt.yml => ssl.yml} (100%) diff --git a/defaults/main.yml b/defaults/main.yml index 2ef4d77..29dc18a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,4 +19,4 @@ matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" matrix_synapse_version: "v0.28.1" matrix_synapse_log_days_keep: 30 -matrix_synapse_skip_letsencrypt: false +matrix_synapse_skip_ssl: false diff --git a/tasks/configure.yml b/tasks/configure.yml index a698ace..2a9281f 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -37,5 +37,5 @@ - "restart synapse" - name: Use letsencrypt certificate - include_tasks: letsencrypt.yml - when: not skip_letsencrypt + include_tasks: ssl.yml + when: not matrix_synapse_skip_ssl diff --git a/tasks/letsencrypt.yml b/tasks/ssl.yml similarity index 100% rename from tasks/letsencrypt.yml rename to tasks/ssl.yml From 629da252e69e0942597bb8486d108f212b025fbd Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:40:41 +0100 Subject: [PATCH 010/167] Add ansible_managed header to the templates --- templates/01-synapse.j2 | 1 + templates/homeserver.yaml.j2 | 1 + templates/logrotate.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/templates/01-synapse.j2 b/templates/01-synapse.j2 index 9a38fc8..f282161 100644 --- a/templates/01-synapse.j2 +++ b/templates/01-synapse.j2 @@ -1,4 +1,5 @@ #!/bin/bash +{{ ansible_managed | comment }} mkdir -p /opt/synapse/ssl/ chown synapse:synapse /opt/synapse/ssl cp /etc/letsencrypt/live/{{ matrix_synapse_domain }}/fullchain.pem /opt/synapse/ssl/{{ matrix_synapse_domain }}.crt diff --git a/templates/homeserver.yaml.j2 b/templates/homeserver.yaml.j2 index 6f4740f..d4e72a6 100644 --- a/templates/homeserver.yaml.j2 +++ b/templates/homeserver.yaml.j2 @@ -1,4 +1,5 @@ # vim:ft=yaml +{{ ansible_managed | comment }} # PEM encoded X509 certificate for TLS. # You can replace the self-signed certificate that synapse # autogenerates on launch with your own SSL certificate + key pair diff --git a/templates/logrotate.j2 b/templates/logrotate.j2 index 3e66ac2..c917561 100644 --- a/templates/logrotate.j2 +++ b/templates/logrotate.j2 @@ -1,3 +1,4 @@ +{{ ansible_managed | comment }} /var/log/matrix_synapse/matrix_synapse.log { daily rotate {{ matrix_synapse_log_days_keep }} From 9a0f1542a0c2a3bbb6f8298fff603ac60283bde5 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:46:31 +0100 Subject: [PATCH 011/167] Static files should not be used as templates --- templates/log.config.j2 => files/log.config | 0 .../matrix-synapse.service.j2 => files/matrix-synapse.service | 0 tasks/logging.yml | 4 ++-- tasks/systemd.yml | 4 ++-- 4 files changed, 4 insertions(+), 4 deletions(-) rename templates/log.config.j2 => files/log.config (100%) rename templates/matrix-synapse.service.j2 => files/matrix-synapse.service (100%) diff --git a/templates/log.config.j2 b/files/log.config similarity index 100% rename from templates/log.config.j2 rename to files/log.config diff --git a/templates/matrix-synapse.service.j2 b/files/matrix-synapse.service similarity index 100% rename from templates/matrix-synapse.service.j2 rename to files/matrix-synapse.service diff --git a/tasks/logging.yml b/tasks/logging.yml index 32ba818..fb05911 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -19,8 +19,8 @@ dest: /etc/logrotate.d/matrix_synapse - name: Deploy log config - template: - src: "log.config.j2" + file: + src: "log.config" dest: "/opt/synapse/log.config" owner: synapse group: synapse diff --git a/tasks/systemd.yml b/tasks/systemd.yml index 19e8ea9..1493c63 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -1,7 +1,7 @@ --- - name: Deploy service file - template: - src: "matrix-synapse.service.j2" + file: + src: "matrix-synapse.service" dest: "/etc/systemd/system/matrix-synapse.service" notify: - "reload systemd" From 03c2c3431bc7065d8b58218f4502d2e43e355241 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 2 Dec 2018 23:58:30 +0100 Subject: [PATCH 012/167] Add a sensible readme file --- README.md | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2f155b6..8c83ef1 100644 --- a/README.md +++ b/README.md @@ -6,26 +6,51 @@ Install a matrix synapse server. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +The following should be present on the target system +* `pip` +* `systemd` +* `rsyslogd` +* `logrotate` Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +__Default vars__ +| Name | Value | +| :--- | :--- | +| matrix_synapse_tls_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.crt" | +| matrix_synapse_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" +| matrix_synapse_dh_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" +| matrix_synapse_server_name | "{{ matrix_synapse_domain }}" +| matrix_synapse_baseurl | "https://{{ matrix_synapse_domain }}" +| matrix_synapse_port_prefix | 100 +| matrix_synapse_pg_pass | "{{ matrix_pg_pass }}" +| matrix_synapse_pg_user | "{{ matrix_pg_user }}" +| matrix_synapse_pg_db | "{{ matrix_pg_db }}" +| matrix_synapse_pg_host | "{{ matrix_pg_host }}" +| matrix_synapse_log_config | "/opt/synapse/{{ matrix_synapse_domain }}.log.config" +| matrix_synapse_media_store_path | "/opt/synapse/media_store" +| matrix_synapse_uploads_path | "/opt/synapse/uploads" +| matrix_synapse_turn_secret | "{{ matrix_turn_secret }}" +| matrix_synapse_turn_uri | "{{ matrix_turn_uri }}" +| matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" +| matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" +| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" +| matrix_synapse_version | "v0.28.1" +| matrix_synapse_log_days_keep | 30 +| matrix_synapse_skip_ssl | false Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +__None__. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +```yaml +#TODO: Add example +``` License ------- @@ -35,4 +60,6 @@ Apache 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +* Michael Kaye +* Jan Christian Grünhage +* Emmanouil Kampitakis From 76b0223b7e059ce7f5dacabe52c7ef0d0e259283 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 3 Dec 2018 23:27:35 +0100 Subject: [PATCH 013/167] Remove letsencrypt hooks --- tasks/ssl.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 3e4a4df..2181604 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -1,21 +1,4 @@ --- -- name: ensure hook directory available - file: - name: /etc/letsencrypt/renewal-hooks/deploy/ - state: directory - -- name: template ssl post-renewal copier into place - template: - src: 01-synapse.j2 - dest: /etc/letsencrypt/renewal-hooks/deploy/01-synapse - mode: 0700 - register: ssl_renewal - -- name: run post-renewal copier - command: /etc/letsencrypt/renewal-hooks/deploy/01-synapse - when: ssl_renewal.changed - tags: - - skip_ansible_lint # because of the when clause - name: create DH parameters command: openssl dhparam -out ssl/{{ matrix_synapse_domain }}.dh 2048 From dc85581dfab302f3a37c98664026f33acb814d2f Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 3 Dec 2018 23:28:34 +0100 Subject: [PATCH 014/167] Use the builtin openssl dhparam module instead of the openssl command --- tasks/ssl.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 2181604..2d6ee80 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -1,9 +1,20 @@ --- +- name: Create signing key + shell: > + /opt/synapse/env/bin/python -c " + from signedjson import key; + with open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w') as file: + key.write_signing_keys(file, [key.generate_signing_key('first')]); + " + args: + creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key + become: true + become_user: synapse + notify: + - "restart synapse" - name: create DH parameters - command: openssl dhparam -out ssl/{{ matrix_synapse_domain }}.dh 2048 - args: - creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.dh - chdir: /opt/synapse - become_user: synapse - become: true + openssl_dhparam: + path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" + owner: synapse + From 5d6ca954e60ffba2fa45aa063ba56998d8d363d7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 3 Dec 2018 23:29:19 +0100 Subject: [PATCH 015/167] Correct letsencrypt in the description --- tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 2a9281f..09e0789 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -36,6 +36,6 @@ notify: - "restart synapse" -- name: Use letsencrypt certificate +- name: Create certificates include_tasks: ssl.yml when: not matrix_synapse_skip_ssl From 752f1691a242a2b6ebcc1233151e17a7e648cb17 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 3 Dec 2018 23:29:54 +0100 Subject: [PATCH 016/167] Remove signing key creation from configuration --- tasks/configure.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 09e0789..cc07b35 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -22,20 +22,6 @@ - name: Configure logging import_tasks: logging.yml -- name: Create signing key - shell: > - /opt/synapse/env/bin/python -c " - from signedjson import key; - with open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w') as file: - key.write_signing_keys(file, [key.generate_signing_key('first')]); - " - args: - creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key - become: true - become_user: synapse - notify: - - "restart synapse" - - name: Create certificates include_tasks: ssl.yml when: not matrix_synapse_skip_ssl From 84248ad23c4635757c4856d3680277c2091b88ee Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 11 Feb 2019 22:37:32 +0100 Subject: [PATCH 017/167] Fix markdown syling --- README.md | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 8c83ef1..e1b22f6 100644 --- a/README.md +++ b/README.md @@ -16,29 +16,30 @@ Role Variables -------------- __Default vars__ + | Name | Value | | :--- | :--- | | matrix_synapse_tls_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.crt" | -| matrix_synapse_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" -| matrix_synapse_dh_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" -| matrix_synapse_server_name | "{{ matrix_synapse_domain }}" -| matrix_synapse_baseurl | "https://{{ matrix_synapse_domain }}" -| matrix_synapse_port_prefix | 100 -| matrix_synapse_pg_pass | "{{ matrix_pg_pass }}" -| matrix_synapse_pg_user | "{{ matrix_pg_user }}" -| matrix_synapse_pg_db | "{{ matrix_pg_db }}" -| matrix_synapse_pg_host | "{{ matrix_pg_host }}" -| matrix_synapse_log_config | "/opt/synapse/{{ matrix_synapse_domain }}.log.config" -| matrix_synapse_media_store_path | "/opt/synapse/media_store" -| matrix_synapse_uploads_path | "/opt/synapse/uploads" -| matrix_synapse_turn_secret | "{{ matrix_turn_secret }}" -| matrix_synapse_turn_uri | "{{ matrix_turn_uri }}" -| matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" -| matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" -| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" -| matrix_synapse_version | "v0.28.1" -| matrix_synapse_log_days_keep | 30 -| matrix_synapse_skip_ssl | false +| matrix_synapse_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" | +| matrix_synapse_dh_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" | +| matrix_synapse_server_name | "{{ matrix_synapse_domain }}" | +| matrix_synapse_baseurl | "https://{{ matrix_synapse_domain }}" | +| matrix_synapse_port_prefix | 100 | +| matrix_synapse_pg_pass | "{{ matrix_pg_pass }}" | +| matrix_synapse_pg_user | "{{ matrix_pg_user }}" | +| matrix_synapse_pg_db | "{{ matrix_pg_db }}" | +| matrix_synapse_pg_host | "{{ matrix_pg_host }}" | +| matrix_synapse_log_config | "/opt/synapse/{{ matrix_synapse_domain }}.log.config" | +| matrix_synapse_media_store_path | "/opt/synapse/media_store" | +| matrix_synapse_uploads_path | "/opt/synapse/uploads" | +| matrix_synapse_turn_secret | "{{ matrix_turn_secret }}" | +| matrix_synapse_turn_uri | "{{ matrix_turn_uri }}" | +| matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | +| matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" | +| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" | +| matrix_synapse_version | "v0.28.1" | +| matrix_synapse_log_days_keep | 30 | +| matrix_synapse_skip_ssl | false | Dependencies ------------ From 05b5c5e356c9d692241ff3baf2fd420811ae1c2b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 11 Feb 2019 23:10:39 +0100 Subject: [PATCH 018/167] Bump synapse version --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e1b22f6..485a5c1 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ __Default vars__ | matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | | matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" | | matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" | -| matrix_synapse_version | "v0.28.1" | +| matrix_synapse_version | "v0.34.1.1" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_skip_ssl | false | diff --git a/defaults/main.yml b/defaults/main.yml index 29dc18a..563214c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,6 +17,6 @@ matrix_synapse_turn_uri: "{{ matrix_turn_uri }}" matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" -matrix_synapse_version: "v0.28.1" +matrix_synapse_version: "v0.34.1.1" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_ssl: false From 043a070d11e9cfd0b388eb1b201535b5d1b5c41e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 01:36:57 +0100 Subject: [PATCH 019/167] Define a yaml file to configure synapse rather than templating it --- vars/main.yml | 796 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 796 insertions(+) create mode 100644 vars/main.yml diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..35dda19 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,796 @@ +# vim:ft=yaml +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +tls_certificate_path: "{{ matrix_synapse_tls_cert }}" + +# PEM-encoded private key for TLS +tls_private_key_path: "{{ matrix_synapse_tls_key }}" + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # to enable it. + # + # enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + # url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + # port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + # bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + # reprovision_threshold: 30 + +# If your server runs behind a reverse-proxy which terminates TLS connections +# (for both client and federation connections), it may be useful to disable +# All TLS support for incoming connections. Setting no_tls to True will +# do so (and avoid the need to give synapse a TLS private key). +# +no_tls: {{ matrix_synapse_skip_ssl }} + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] + +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +server_name: "{{ matrix_server_name }}" + +# When running as a daemon, the file to store the pid in +pid_file: {{ matrix_synapse_pid_file }} + +# CPU affinity mask. Setting this restricts the CPUs on which the +# process will be scheduled. It is represented as a bitmask, with the +# lowest order bit corresponding to the first logical CPU and the +# highest order bit corresponding to the last logical CPU. Not all CPUs +# may exist on a given system but a mask may specify more CPUs than are +# present. +# +# For example: +# 0x00000001 is processor #0, +# 0x00000003 is processors #0 and #1, +# 0xFFFFFFFF is all processors (#0 through #31). +# +# Pinning a Python process to a single CPU is desirable, because Python +# is inherently single-threaded due to the GIL, and can suffer a +# 30-40% slowdown due to cache blow-out and thread context switching +# if the scheduler happens to schedule the underlying threads across +# different cores. See +# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. +# +# This setting requires the affinity package to be installed! +# +# cpu_affinity: 0xFFFFFFFF + +# The path to the web client which will be served at /_matrix/client/ +# if 'webclient' is configured under the 'listeners' configuration. +# +# web_client_location: "/path/to/web/root" + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# public_baseurl: https://example.com/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +use_presence: true + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# block_non_admin_invites: True + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +# federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + {%- if not matrix_synapse_skip_ssl %} + - port: 8448 + bind_addresses: + - '::' + - '0.0.0.0' + type: http + tls: true + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + {%- endif %} + - port: 8008 + tls: false + bind_addresses: ['::', '0.0.0.0'] + type: http + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + {%- if matrix_synapse_manhole %} + - port: 9000 + bind_addresses: ['::1', '127.0.0.1'] + type: manhole + {%- endif %} + +# Homeserver blocking +# +# How to reach the server admin, used in ResourceLimitError +# admin_contact: 'mailto:admin@server.com' +# +# Global block config +# +# hs_disabled: False +# hs_disabled_message: 'Human readable reason for why the HS is blocked' +# hs_disabled_limit_type: 'error code(str), to help clients decode reason' +# +# Monthly Active User Blocking +# +# Enables monthly active user checking +# limit_usage_by_mau: False +# max_mau_value: 50 +# mau_trial_days: 2 +# +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# mau_stats_only: False +# +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +# mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' +# +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# enable_search: true + +database: + name: "psycopg2" + args: + user: "{{ matrix_synapse_pg_user }}" + password: "{{ matrix_synapse_pg_pass }}" + database: "{{ matrix_synapse_pg_db }}" + host: "{{ matrix_synapse_pg_host }}" + cp_min: 5 + cp_max: 10 + +# Number of events to cache in memory. +event_cache_size: "10K" + +# A yaml python logging config file +log_config: "/my.domain.name.log.config" + +## Ratelimiting ## + +rc_messages_per_second: 0.2 +rc_message_burst_count: 10.0 +federation_rc_window_size: 1000 +federation_rc_sleep_limit: 10 +federation_rc_sleep_delay: 500 +federation_rc_reject_limit: 50 +federation_rc_concurrent: 3 + +media_store_path: "{{ matrix_synapse_media_store_path }}" + +# Media storage providers allow media to be stored in different +# locations. +# media_storage_providers: +# - module: file_system +# # Whether to write new local files. +# store_local: false +# # Whether to write new remote media +# store_remote: false +# # Whether to block upload requests waiting for write to this +# # provider to complete +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +uploads_path: "/uploads" + +max_upload_size: "{{ matrix_synapse_max_upload_size }}" +max_image_pixels: "32M" + +dynamic_thumbnails: false + +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +url_preview_enabled: {{ matrix_synapse_url_preview_enabled }} +{% if matrix_synapse_url_preview_enabled %} +url_preview_ip_range_blacklist: +- '127.0.0.0/8' +- '10.0.0.0/8' +- '172.16.0.0/12' +- '192.168.0.0/16' +- '100.64.0.0/10' +- '169.254.0.0/16' +- '::1/128' +- 'fe80::/64' +- 'fc00::/7' +{% endif %} +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +#turn_uris: [] + +# The shared secret used to compute passwords for the TURN server +#turn_shared_secret: "YOUR_SHARED_SECRET" + +# The Username and password if the TURN server needs them and +# does not use a token +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +turn_allow_guests: True + + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# The user must provide all of the below types of 3PID when registering. +# +# registrations_require_3pid: +# - email +# - msisdn + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +# disable_msisdn_registration = True + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +# allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: "Io&-g_uxkPWPLzqc@ui&Hf5-C&554:J37A_U0YMJW:UPY3qGzH" + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: False + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +# default_identity_server: https://matrix.org + +# The list of identity servers trusted to verify third party +# identifiers by this server. +# +# Also defines the ID server which will be called when an account is +# deactivated (one will be picked arbitrarily). +trusted_third_party_id_servers: + - matrix.org + - vector.im + +# Users who register on this homeserver will automatically be joined +# to these rooms +#auto_join_rooms: +# - "#example:example.com" + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +autocreate_auto_join_rooms: true + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False +report_stats: false + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: [] + +# Whether or not to track application service IP addresses. Implicitly +# enables MAU tracking for application service users. +track_appservice_user_ips: False + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +macaroon_secret_key: "wiiFkmMO-BX-zRv1aFoPzxCbmYRB~AQR^xe~y60ZB,#62YH8tR" + +# Used to enable access token expiration. +expire_access_token: False + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +form_secret: "n1FlN6+8j62*eiC0#aFPY3ax51vEI7rS:AXDvyf65mT7Fx0axp" + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/my.domain.name.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# saml2_config: +# +# # The following is the configuration for the pysaml2 Service Provider. +# # See pysaml2 docs for format of config. +# # +# # Default values will be used for the 'entityid' and 'service' settings, +# # so it is not normally necessary to specify them unless you need to +# # override them. +# +# sp_config: +# # point this to the IdP's metadata. You can use either a local file or +# # (preferably) a URL. +# metadata: +# # local: ["saml2/idp.xml"] +# remote: +# - url: https://our_idp/metadata.xml +# +# # The following is just used to generate our metadata xml, and you +# # may well not need it, depending on your setup. Alternatively you +# # may need a whole lot more detail - see the pysaml2 docs! +# +# description: ["My awesome SP", "en"] +# name: ["Test SP", "en"] +# +# organization: +# name: Example com +# display_name: +# - ["Example co", "en"] +# url: "http://example.com" +# +# contact_person: +# - given_name: Bob +# sur_name: "the Sysadmin" +# email_address": ["admin@example.com"] +# contact_type": technical +# +# # Instead of putting the config inline as above, you can specify a +# # separate pysaml2 configuration file: +# # +# # config_path: "//sp_conf.py" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + + + +# Enable sending emails for notification events +# Defining a custom URL for Riot is only needed if email notifications +# should contain links to a self-hosted installation of Riot; when set +# the "app_name" setting is ignored. +# +# If your SMTP server requires authentication, the optional smtp_user & +# smtp_pass variables should be used +# +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# smtp_user: "exampleusername" +# smtp_pass: "examplepassword" +# require_transport_security: False +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# # if template_dir is unset, uses the example templates that are part of +# # the Synapse distribution. +# #template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True +# riot_base_url: "http://localhost/riot" + + +# password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. + +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +# spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' + + +# Whether to allow non server admins to create groups on this server +enable_group_creation: false + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to run +# UPDATE user_directory_stream_pos SET stream_id = NULL; +# on your database to tell it to rebuild the user_directory search indexes. +# +#user_directory: +# search_all_users: false + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +# user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy +# + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +# server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id and the new alias (fully qualified with server +# name). The action in the first rule that matches is taken, which can +# currently either be "allow" or "deny". +# +# If no rules match the request is denied. +alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow From 731b6b6266a69942dae1523c42d7d6f62ddb830e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:30:50 +0100 Subject: [PATCH 020/167] First draft of synapse configuration Configuration is now described in a variable. This reduces the amount of documentation needed in the role and allows for a better upstream compatibility --- vars/main.yml | 1043 ++++++++++++------------------------------------- 1 file changed, 248 insertions(+), 795 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 35dda19..3b37cef 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,796 +1,249 @@ -# vim:ft=yaml -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -tls_certificate_path: "{{ matrix_synapse_tls_cert }}" - -# PEM-encoded private key for TLS -tls_private_key_path: "{{ matrix_synapse_tls_key }}" - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # to enable it. - # - # enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - # url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - # port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - # bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - # reprovision_threshold: 30 - -# If your server runs behind a reverse-proxy which terminates TLS connections -# (for both client and federation connections), it may be useful to disable -# All TLS support for incoming connections. Setting no_tls to True will -# do so (and avoid the need to give synapse a TLS private key). -# -no_tls: {{ matrix_synapse_skip_ssl }} - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -tls_fingerprints: [] -# tls_fingerprints: [{"sha256": ""}] - -## Server ## - -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. -server_name: "{{ matrix_server_name }}" - -# When running as a daemon, the file to store the pid in -pid_file: {{ matrix_synapse_pid_file }} - -# CPU affinity mask. Setting this restricts the CPUs on which the -# process will be scheduled. It is represented as a bitmask, with the -# lowest order bit corresponding to the first logical CPU and the -# highest order bit corresponding to the last logical CPU. Not all CPUs -# may exist on a given system but a mask may specify more CPUs than are -# present. -# -# For example: -# 0x00000001 is processor #0, -# 0x00000003 is processors #0 and #1, -# 0xFFFFFFFF is all processors (#0 through #31). -# -# Pinning a Python process to a single CPU is desirable, because Python -# is inherently single-threaded due to the GIL, and can suffer a -# 30-40% slowdown due to cache blow-out and thread context switching -# if the scheduler happens to schedule the underlying threads across -# different cores. See -# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. -# -# This setting requires the affinity package to be installed! -# -# cpu_affinity: 0xFFFFFFFF - -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. -# -# web_client_location: "/path/to/web/root" - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# public_baseurl: https://example.com/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -use_presence: true - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is -1, means no upper limit. -# filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# block_non_admin_invites: True - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -# federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -listeners: - {%- if not matrix_synapse_skip_ssl %} - - port: 8448 - bind_addresses: - - '::' - - '0.0.0.0' - type: http - tls: true - x_forwarded: false - resources: - - names: [client] - compress: true - - names: [federation] - compress: false - {%- endif %} - - port: 8008 - tls: false +--- +matrix_synapse_config: + server_name: "{{ matrix_server_name }}" + tls_certificate_path: "{{ matrix_synapse_tls_cert }}" + tls_private_key_path: "{{ matrix_synapse_tls_key }}" + acme: + enabled: false + url: https://acme-v01.api.letsencrypt.org/directory + port: 80 bind_addresses: ['::', '0.0.0.0'] - type: http - x_forwarded: false - resources: - - names: [client] - compress: true - - names: [federation] - compress: false - {%- if matrix_synapse_manhole %} - - port: 9000 - bind_addresses: ['::1', '127.0.0.1'] - type: manhole - {%- endif %} - -# Homeserver blocking -# -# How to reach the server admin, used in ResourceLimitError -# admin_contact: 'mailto:admin@server.com' -# -# Global block config -# -# hs_disabled: False -# hs_disabled_message: 'Human readable reason for why the HS is blocked' -# hs_disabled_limit_type: 'error code(str), to help clients decode reason' -# -# Monthly Active User Blocking -# -# Enables monthly active user checking -# limit_usage_by_mau: False -# max_mau_value: 50 -# mau_trial_days: 2 -# -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# mau_stats_only: False -# -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -# mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' -# -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# enable_search: true - -database: - name: "psycopg2" - args: - user: "{{ matrix_synapse_pg_user }}" - password: "{{ matrix_synapse_pg_pass }}" - database: "{{ matrix_synapse_pg_db }}" - host: "{{ matrix_synapse_pg_host }}" - cp_min: 5 - cp_max: 10 - -# Number of events to cache in memory. -event_cache_size: "10K" - -# A yaml python logging config file -log_config: "/my.domain.name.log.config" - -## Ratelimiting ## - -rc_messages_per_second: 0.2 -rc_message_burst_count: 10.0 -federation_rc_window_size: 1000 -federation_rc_sleep_limit: 10 -federation_rc_sleep_delay: 500 -federation_rc_reject_limit: 50 -federation_rc_concurrent: 3 - -media_store_path: "{{ matrix_synapse_media_store_path }}" - -# Media storage providers allow media to be stored in different -# locations. -# media_storage_providers: -# - module: file_system -# # Whether to write new local files. -# store_local: false -# # Whether to write new remote media -# store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -uploads_path: "/uploads" - -max_upload_size: "{{ matrix_synapse_max_upload_size }}" -max_image_pixels: "32M" - -dynamic_thumbnails: false - -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale - -url_preview_enabled: {{ matrix_synapse_url_preview_enabled }} -{% if matrix_synapse_url_preview_enabled %} -url_preview_ip_range_blacklist: -- '127.0.0.0/8' -- '10.0.0.0/8' -- '172.16.0.0/12' -- '192.168.0.0/16' -- '100.64.0.0/10' -- '169.254.0.0/16' -- '::1/128' -- 'fe80::/64' -- 'fc00::/7' -{% endif %} -# -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -# url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - -## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. - -# This Home Server's ReCAPTCHA public key. -recaptcha_public_key: "YOUR_PUBLIC_KEY" - -# This Home Server's ReCAPTCHA private key. -recaptcha_private_key: "YOUR_PRIVATE_KEY" - -# Enables ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -enable_registration_captcha: False - -# A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" - -# The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" - - -## Turn ## - -# The public URIs of the TURN server to give to clients -#turn_uris: [] - -# The shared secret used to compute passwords for the TURN server -#turn_shared_secret: "YOUR_SHARED_SECRET" - -# The Username and password if the TURN server needs them and -# does not use a token -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -turn_user_lifetime: "1h" - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -turn_allow_guests: True - - -## Registration ## - -# Enable registration for new users. -enable_registration: False - -# The user must provide all of the below types of 3PID when registering. -# -# registrations_require_3pid: -# - email -# - msisdn - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -# disable_msisdn_registration = True - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -# allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' - -# If set, allows registration by anyone who also has the shared -# secret, even if registration is otherwise disabled. -registration_shared_secret: "Io&-g_uxkPWPLzqc@ui&Hf5-C&554:J37A_U0YMJW:UPY3qGzH" - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -allow_guest_access: False - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -# default_identity_server: https://matrix.org - -# The list of identity servers trusted to verify third party -# identifiers by this server. -# -# Also defines the ID server which will be called when an account is -# deactivated (one will be picked arbitrarily). -trusted_third_party_id_servers: - - matrix.org - - vector.im - -# Users who register on this homeserver will automatically be joined -# to these rooms -#auto_join_rooms: -# - "#example:example.com" - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -autocreate_auto_join_rooms: true - - -## Metrics ### - -# Enable collection and rendering of performance metrics -enable_metrics: False -report_stats: false - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" - - -# A list of application service config file to use -app_service_config_files: [] - -# Whether or not to track application service IP addresses. Implicitly -# enables MAU tracking for application service users. -track_appservice_user_ips: False - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -macaroon_secret_key: "wiiFkmMO-BX-zRv1aFoPzxCbmYRB~AQR^xe~y60ZB,#62YH8tR" - -# Used to enable access token expiration. -expire_access_token: False - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -form_secret: "n1FlN6+8j62*eiC0#aFPY3ax51vEI7rS:AXDvyf65mT7Fx0axp" - -## Signing Keys ## - -# Path to the signing key to sign messages with -signing_key_path: "/my.domain.name.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key -old_signing_keys: {} -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -key_refresh_interval: "1d" # 1 Day. - -# The trusted servers to download signing keys from. -perspectives: - servers: - "matrix.org": - verify_keys: - "ed25519:auto": - key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" - - - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# saml2_config: -# -# # The following is the configuration for the pysaml2 Service Provider. -# # See pysaml2 docs for format of config. -# # -# # Default values will be used for the 'entityid' and 'service' settings, -# # so it is not normally necessary to specify them unless you need to -# # override them. -# -# sp_config: -# # point this to the IdP's metadata. You can use either a local file or -# # (preferably) a URL. -# metadata: -# # local: ["saml2/idp.xml"] -# remote: -# - url: https://our_idp/metadata.xml -# -# # The following is just used to generate our metadata xml, and you -# # may well not need it, depending on your setup. Alternatively you -# # may need a whole lot more detail - see the pysaml2 docs! -# -# description: ["My awesome SP", "en"] -# name: ["Test SP", "en"] -# -# organization: -# name: Example com -# display_name: -# - ["Example co", "en"] -# url: "http://example.com" -# -# contact_person: -# - given_name: Bob -# sur_name: "the Sysadmin" -# email_address": ["admin@example.com"] -# contact_type": technical -# -# # Instead of putting the config inline as above, you can specify a -# # separate pysaml2 configuration file: -# # -# # config_path: "//sp_conf.py" - - - -# Enable CAS for registration and login. -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #required_attributes: -# # name: value - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -# jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - - - -# Enable password for login. -password_config: - enabled: true - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" - - - -# Enable sending emails for notification events -# Defining a custom URL for Riot is only needed if email notifications -# should contain links to a self-hosted installation of Riot; when set -# the "app_name" setting is ignored. -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# # if template_dir is unset, uses the example templates that are part of -# # the Synapse distribution. -# #template_dir: res/templates -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# notif_for_new_users: True -# riot_base_url: "http://localhost/riot" - - -# password_providers: -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" - - - -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. - -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true - - -# spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' - - -# Whether to allow non server admins to create groups on this server -enable_group_creation: false - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# group_creation_prefix: "unofficial/" - - - -# User Directory configuration -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to run -# UPDATE user_directory_stream_pos SET stream_id = NULL; -# on your database to tell it to rebuild the user_directory search indexes. -# -#user_directory: -# search_all_users: false - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -# user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy -# - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -# server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id and the new alias (fully qualified with server -# name). The action in the first rule that matches is taken, which can -# currently either be "allow" or "deny". -# -# If no rules match the request is denied. -alias_creation_rules: - - user_id: "*" - alias: "*" - action: allow + reprovision_threshold: 30 + no_tls: "{{ matrix_synapse_skip_ssl }}" + tls_fingerprints: [] + pid_file: "{{ matrix_synapse_pid_file }}" + soft_file_limit: 0 + use_presence: true + listeners: + - port: 8448 + bind_addresses: + - '::' + - '0.0.0.0' + type: http + tls: true + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + - port: 8008 + tls: false + bind_addresses: ['::', '0.0.0.0'] + type: http + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + database: + name: "psycopg2" + args: + user: "{{ matrix_synapse_pg_user }}" + password: "{{ matrix_synapse_pg_pass }}" + database: "{{ matrix_synapse_pg_db }}" + host: "{{ matrix_synapse_pg_host }}" + cp_min: 5 + cp_max: 10 + event_cache_size: "10K" + rc_messages_per_second: 0.2 + rc_message_burst_count: 10.0 + federation_rc_window_size: 1000 + federation_rc_sleep_limit: 10 + federation_rc_sleep_delay: 500 + federation_rc_reject_limit: 50 + federation_rc_concurrent: 3 + media_store_path: /opt/synapse/media_store + uploads_path: "/uploads" + + max_upload_size: "{{ matrix_synapse_max_upload_size }}" + max_image_pixels: "32M" + + dynamic_thumbnails: false + + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 320 + height: 240 + method: scale + - width: 640 + height: 480 + method: scale + - width: 800 + height: 600 + method: scale + url_preview_enabled: true + url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + url_preview_url_blacklist: + - username: '*' + - netloc: 'google.com' + - netloc: '*.google.com' + - netloc: 'twitter.com' + - netloc: '*.twitter.com' + - netloc: 't.co' + - netloc: '*.t.co' + max_spider_size: "10M" + enable_registration: False + registration_shared_secret: "{{ matrix_synapse_registration_secret }}" + bcrypt_rounds: 12 + allow_guest_access: False + trusted_third_party_id_servers: + - matrix.org + - vector.im + + autocreate_auto_join_rooms: true + enable_metrics: False + report_stats: "{{ matrix_synapse_report_stats }}" + room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + app_service_config_files: [] + track_appservice_user_ips: False + macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" + expire_access_token: False + form_secret: "{{ matrix_synapse_form_secret }}" + signing_key_path: "{{ matrix_synapse_signing_key_path }}" + old_signing_keys: {} + key_refresh_interval: "1d" # 1 Day. + # TODO: More servers should be added + perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + password_config: + enabled: true + push: + include_content: false + + + # spam_checker: + # module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + + + # Whether to allow non server admins to create groups on this server + enable_group_creation: false + + # If enabled, non server admins can only create groups with local parts + # starting with this prefix + # group_creation_prefix: "unofficial/" + + + + # User Directory configuration + # + # 'search_all_users' defines whether to search all users visible to your HS + # when searching the user directory, rather than limiting to users visible + # in public rooms. Defaults to false. If you set it True, you'll have to run + # UPDATE user_directory_stream_pos SET stream_id = NULL; + # on your database to tell it to rebuild the user_directory search indexes. + # + #user_directory: + # search_all_users: false + + + # User Consent configuration + # + # for detailed instructions, see + # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md + # + # Parts of this section are required if enabling the 'consent' resource under + # 'listeners', in particular 'template_dir' and 'version'. + # + # 'template_dir' gives the location of the templates for the HTML forms. + # This directory should contain one subdirectory per language (eg, 'en', 'fr'), + # and each language directory should contain the policy document (named as + # '.html') and a success page (success.html). + # + # 'version' specifies the 'current' version of the policy document. It defines + # the version to be served by the consent resource if there is no 'v' + # parameter. + # + # 'server_notice_content', if enabled, will send a user a "Server Notice" + # asking them to consent to the privacy policy. The 'server_notices' section + # must also be configured for this to work. Notices will *not* be sent to + # guest users unless 'send_server_notice_to_guests' is set to true. + # + # 'block_events_error', if set, will block any attempts to send events + # until the user consents to the privacy policy. The value of the setting is + # used as the text of the error. + # + # 'require_at_registration', if enabled, will add a step to the registration + # process, similar to how captcha works. Users will be required to accept the + # policy before their account is created. + # + # 'policy_name' is the display name of the policy users will see when registering + # for an account. Has no effect unless `require_at_registration` is enabled. + # Defaults to "Privacy Policy". + # + # user_consent: + # template_dir: res/templates/privacy + # version: 1.0 + # server_notice_content: + # msgtype: m.text + # body: >- + # To continue using this homeserver you must review and agree to the + # terms and conditions at %(consent_uri)s + # send_server_notice_to_guests: True + # block_events_error: >- + # To continue using this homeserver you must review and agree to the + # terms and conditions at %(consent_uri)s + # require_at_registration: False + # policy_name: Privacy Policy + # + + + # Server Notices room configuration + # + # Uncomment this section to enable a room which can be used to send notices + # from the server to users. It is a special room which cannot be left; notices + # come from a special "notices" user id. + # + # If you uncomment this section, you *must* define the system_mxid_localpart + # setting, which defines the id of the user which will be used to send the + # notices. + # + # It's also possible to override the room name, the display name of the + # "notices" user, and the avatar for the user. + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + + + + # The `alias_creation` option controls who's allowed to create aliases + # on this server. + # + # The format of this option is a list of rules that contain globs that + # match against user_id and the new alias (fully qualified with server + # name). The action in the first rule that matches is taken, which can + # currently either be "allow" or "deny". + # + # If no rules match the request is denied. + alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow From 3d2e24595324611adb9fa011cd323e3465f52dbe Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:32:44 +0100 Subject: [PATCH 021/167] Remove unused template --- templates/01-synapse.j2 | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 templates/01-synapse.j2 diff --git a/templates/01-synapse.j2 b/templates/01-synapse.j2 deleted file mode 100644 index f282161..0000000 --- a/templates/01-synapse.j2 +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -{{ ansible_managed | comment }} -mkdir -p /opt/synapse/ssl/ -chown synapse:synapse /opt/synapse/ssl -cp /etc/letsencrypt/live/{{ matrix_synapse_domain }}/fullchain.pem /opt/synapse/ssl/{{ matrix_synapse_domain }}.crt -chown synapse:synapse /opt/synapse/ssl/{{ matrix_synapse_domain }}.crt -cp /etc/letsencrypt/live/{{ matrix_synapse_domain }}/privkey.pem /opt/synapse/ssl/{{ matrix_synapse_domain }}.key -chown synapse:synapse /opt/synapse/ssl/{{ matrix_synapse_domain }}.key -service matrix-synapse restart From 2e8e8120820d09ace5679436bf46e4c304b957c7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:39:01 +0100 Subject: [PATCH 022/167] Add todo file --- TODO.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 TODO.md diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..b3187ba --- /dev/null +++ b/TODO.md @@ -0,0 +1 @@ +* Create the signing key (tasks/ssl.yml) with openssl rather than inline python 🤮 From 427c6483beb18dfe8e425a19bd378037440969c6 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:38:17 +0100 Subject: [PATCH 023/167] Rename ssl.yml to crypto.yml --- tasks/configure.yml | 3 +-- tasks/{ssl.yml => crypto.yml} | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) rename tasks/{ssl.yml => crypto.yml} (61%) diff --git a/tasks/configure.yml b/tasks/configure.yml index cc07b35..79cadfa 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -23,5 +23,4 @@ import_tasks: logging.yml - name: Create certificates - include_tasks: ssl.yml - when: not matrix_synapse_skip_ssl + include_tasks: crypto.yml diff --git a/tasks/ssl.yml b/tasks/crypto.yml similarity index 61% rename from tasks/ssl.yml rename to tasks/crypto.yml index 2d6ee80..38c1ffe 100644 --- a/tasks/ssl.yml +++ b/tasks/crypto.yml @@ -3,11 +3,11 @@ shell: > /opt/synapse/env/bin/python -c " from signedjson import key; - with open('/opt/synapse/ssl/{{ matrix_synapse_domain}}.signing.key','w') as file: + with open('{{ matrix_synapse_signing_key_path }}','w') as file: key.write_signing_keys(file, [key.generate_signing_key('first')]); " args: - creates: /opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key + creates: "{{ matrix_synapse_signing_key_path }}" become: true become_user: synapse notify: @@ -15,6 +15,6 @@ - name: create DH parameters openssl_dhparam: - path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" + path: "{{ matrix_synapse_dh_path }}" owner: synapse From 6a242309f1859cbaf843e0e291de4f0b1eb1446c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:43:26 +0100 Subject: [PATCH 024/167] Generate the registration secret --- tasks/configure.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/configure.yml b/tasks/configure.yml index 79cadfa..fb27133 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -10,6 +10,14 @@ - uploads - ssl +- name: Generate registration secret + block: + - command: /usr/bin/pwgen -sn 84 1 + register: pwgen + - set_fact: + matrix_synapse_registration_secret: "{{ pwgen.stdout }}" + when: matrix_synapse_registration_secret is not defined + - name: Deploy config template: src: "homeserver.yaml.j2" From 7b8a5b150666b3bf1c874e49e3eba5dbbda6ce36 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:45:09 +0100 Subject: [PATCH 025/167] Finish the first draft of the configuration variable --- vars/main.yml | 115 +------------------------------------------------- 1 file changed, 1 insertion(+), 114 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 3b37cef..b11f50f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -56,12 +56,9 @@ matrix_synapse_config: federation_rc_concurrent: 3 media_store_path: /opt/synapse/media_store uploads_path: "/uploads" - max_upload_size: "{{ matrix_synapse_max_upload_size }}" max_image_pixels: "32M" - dynamic_thumbnails: false - thumbnail_sizes: - width: 32 height: 32 @@ -105,7 +102,6 @@ matrix_synapse_config: trusted_third_party_id_servers: - matrix.org - vector.im - autocreate_auto_join_rooms: true enable_metrics: False report_stats: "{{ matrix_synapse_report_stats }}" @@ -133,116 +129,7 @@ matrix_synapse_config: enabled: true push: include_content: false - - - # spam_checker: - # module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - - - # Whether to allow non server admins to create groups on this server - enable_group_creation: false - - # If enabled, non server admins can only create groups with local parts - # starting with this prefix - # group_creation_prefix: "unofficial/" - - - - # User Directory configuration - # - # 'search_all_users' defines whether to search all users visible to your HS - # when searching the user directory, rather than limiting to users visible - # in public rooms. Defaults to false. If you set it True, you'll have to run - # UPDATE user_directory_stream_pos SET stream_id = NULL; - # on your database to tell it to rebuild the user_directory search indexes. - # - #user_directory: - # search_all_users: false - - - # User Consent configuration - # - # for detailed instructions, see - # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md - # - # Parts of this section are required if enabling the 'consent' resource under - # 'listeners', in particular 'template_dir' and 'version'. - # - # 'template_dir' gives the location of the templates for the HTML forms. - # This directory should contain one subdirectory per language (eg, 'en', 'fr'), - # and each language directory should contain the policy document (named as - # '.html') and a success page (success.html). - # - # 'version' specifies the 'current' version of the policy document. It defines - # the version to be served by the consent resource if there is no 'v' - # parameter. - # - # 'server_notice_content', if enabled, will send a user a "Server Notice" - # asking them to consent to the privacy policy. The 'server_notices' section - # must also be configured for this to work. Notices will *not* be sent to - # guest users unless 'send_server_notice_to_guests' is set to true. - # - # 'block_events_error', if set, will block any attempts to send events - # until the user consents to the privacy policy. The value of the setting is - # used as the text of the error. - # - # 'require_at_registration', if enabled, will add a step to the registration - # process, similar to how captcha works. Users will be required to accept the - # policy before their account is created. - # - # 'policy_name' is the display name of the policy users will see when registering - # for an account. Has no effect unless `require_at_registration` is enabled. - # Defaults to "Privacy Policy". - # - # user_consent: - # template_dir: res/templates/privacy - # version: 1.0 - # server_notice_content: - # msgtype: m.text - # body: >- - # To continue using this homeserver you must review and agree to the - # terms and conditions at %(consent_uri)s - # send_server_notice_to_guests: True - # block_events_error: >- - # To continue using this homeserver you must review and agree to the - # terms and conditions at %(consent_uri)s - # require_at_registration: False - # policy_name: Privacy Policy - # - - - # Server Notices room configuration - # - # Uncomment this section to enable a room which can be used to send notices - # from the server to users. It is a special room which cannot be left; notices - # come from a special "notices" user id. - # - # If you uncomment this section, you *must* define the system_mxid_localpart - # setting, which defines the id of the user which will be used to send the - # notices. - # - # It's also possible to override the room name, the display name of the - # "notices" user, and the avatar for the user. - # - # server_notices: - # system_mxid_localpart: notices - # system_mxid_display_name: "Server Notices" - # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" - # room_name: "Server Notices" - - - - # The `alias_creation` option controls who's allowed to create aliases - # on this server. - # - # The format of this option is a list of rules that contain globs that - # match against user_id and the new alias (fully qualified with server - # name). The action in the first rule that matches is taken, which can - # currently either be "allow" or "deny". - # - # If no rules match the request is denied. + enable_group_creation: true alias_creation_rules: - user_id: "*" alias: "*" From 7635784748c9b1005d7905b1f1e0117b78e7c0f4 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 02:58:16 +0100 Subject: [PATCH 026/167] Write the tls certificate and private key to a file --- tasks/crypto.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 38c1ffe..87829d8 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -18,3 +18,20 @@ path: "{{ matrix_synapse_dh_path }}" owner: synapse +- name: Write server's certificate and private key + block: + - name: Write certificate + copy: + content: "{{ matrix_synapse_tls_cert }}" + dest: "{{ matrix_synapse_tls_cert_path }}" + owner: synapse + group: synapse + mode: "0644" + - name: Write keyfile + copy: + content: "{{ matrix_synapse_tls_key }}" + dest: "{{ matrix_synapse_tls_key_path }}" + owner: synapse + group: synapse + mode: "0600" + when: not matrix_synapse_skip_ssl From 7028d8373b4fe8a23f2aaec9398cf928e8c0c42c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 03:14:30 +0100 Subject: [PATCH 027/167] Start fixing variables, paths and defaults Still WIP --- README.md | 52 ++++++++++++++++++++++++++--------------------- TODO.md | 1 + defaults/main.yml | 9 ++++---- 3 files changed, 34 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 485a5c1..36ed8e6 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,8 @@ -matrix-synapse -============== +# matrix-synapse Install a matrix synapse server. -Requirements ------------- +## Requirements The following should be present on the target system * `pip` @@ -12,54 +10,62 @@ The following should be present on the target system * `rsyslogd` * `logrotate` -Role Variables --------------- +## Role Variables -__Default vars__ +### Mandatory Variables + +| Name | Type | Description | +| :--- | :--- | :--- | +| **matrix_server_name** | __string__ | | +| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain | +| **matrix_synapse_tls_key** | __string__ | server's TLS key | +| **matrix_synapse_report_stats** | __bool__ | Report the stats to matrix.org | + +### Optional Variables | Name | Value | | :--- | :--- | -| matrix_synapse_tls_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.crt" | -| matrix_synapse_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" | -| matrix_synapse_dh_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" | -| matrix_synapse_server_name | "{{ matrix_synapse_domain }}" | -| matrix_synapse_baseurl | "https://{{ matrix_synapse_domain }}" | -| matrix_synapse_port_prefix | 100 | +| matrix_synapse_tls_cert_path | "/opt/synapse/tls/{{ matrix_server_name }}.crt" | +| matrix_synapse_tls_key_path | "/opt/synapse/tls/{{ matrix_server_name }}.key" | +| matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | +| matrix_synapse_server_name | "{{ matrix_server_name }}" | +| matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_pg_pass | "{{ matrix_pg_pass }}" | | matrix_synapse_pg_user | "{{ matrix_pg_user }}" | | matrix_synapse_pg_db | "{{ matrix_pg_db }}" | | matrix_synapse_pg_host | "{{ matrix_pg_host }}" | -| matrix_synapse_log_config | "/opt/synapse/{{ matrix_synapse_domain }}.log.config" | +| matrix_synapse_log_config | "/opt/synapse/{{ matrix_server_name }}.log.config" | | matrix_synapse_media_store_path | "/opt/synapse/media_store" | | matrix_synapse_uploads_path | "/opt/synapse/uploads" | | matrix_synapse_turn_secret | "{{ matrix_turn_secret }}" | | matrix_synapse_turn_uri | "{{ matrix_turn_uri }}" | | matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | | matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" | -| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" | +| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v0.34.1.1" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_skip_ssl | false | +| matrix_synapse_pid_file | /opt/synapse/synapse.pid | +| matrix_synapse_manhole | false | +| matrix_synapse_max_upload_size | 23M | +| matrix_synapse_url_preview_enabled | true | +| matrix_sybapse_registration_secret | __randomly generated__ | -Dependencies ------------- +## Dependencies __None__. -Example Playbook ----------------- +## Example Playbook ```yaml #TODO: Add example ``` -License -------- +## License Apache 2.0 -Author Information ------------------- +# Author Information * Michael Kaye * Jan Christian Grünhage diff --git a/TODO.md b/TODO.md index b3187ba..c2c890d 100644 --- a/TODO.md +++ b/TODO.md @@ -1 +1,2 @@ +* **URGENT** Clean up the variables in README vs. "template" vs. defaults etc. * Create the signing key (tasks/ssl.yml) with openssl rather than inline python 🤮 diff --git a/defaults/main.yml b/defaults/main.yml index 563214c..cb14a56 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,9 @@ --- -matrix_synapse_tls_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.crt" -matrix_synapse_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.key" -matrix_synapse_dh_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.dh" +matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.crt" +matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.key" +matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.dh" matrix_synapse_server_name: "{{ matrix_synapse_domain }}" matrix_synapse_baseurl: "https://{{ matrix_synapse_domain }}" -matrix_synapse_port_prefix: 100 matrix_synapse_pg_pass: "{{ matrix_pg_pass }}" matrix_synapse_pg_user: "{{ matrix_pg_user }}" matrix_synapse_pg_db: "{{ matrix_pg_db }}" @@ -16,7 +15,7 @@ matrix_synapse_turn_secret: "{{ matrix_turn_secret }}" matrix_synapse_turn_uri: "{{ matrix_turn_uri }}" matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" -matrix_synapse_signing_key_path: "/opt/synapse/ssl/{{ matrix_synapse_domain }}.signing.key" +matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.signing.key" matrix_synapse_version: "v0.34.1.1" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_ssl: false From a379238dc6bcd609deaa4e3a37c51e35bba6b924 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 03:15:21 +0100 Subject: [PATCH 028/167] Remove obsolete template --- templates/homeserver.yaml.j2 | 541 ----------------------------------- 1 file changed, 541 deletions(-) delete mode 100644 templates/homeserver.yaml.j2 diff --git a/templates/homeserver.yaml.j2 b/templates/homeserver.yaml.j2 deleted file mode 100644 index d4e72a6..0000000 --- a/templates/homeserver.yaml.j2 +++ /dev/null @@ -1,541 +0,0 @@ -# vim:ft=yaml -{{ ansible_managed | comment }} -# PEM encoded X509 certificate for TLS. -# You can replace the self-signed certificate that synapse -# autogenerates on launch with your own SSL certificate + key pair -# if you like. Any required intermediary certificates can be -# appended after the primary certificate in hierarchical order. -tls_certificate_path: "{{ matrix_synapse_tls_path }}" - -# PEM encoded private key for TLS -tls_private_key_path: "{{ matrix_synapse_key_path }}" - -# PEM dh parameters for ephemeral keys -tls_dh_params_path: "{{ matrix_synapse_dh_path }}" - -# Don't bind to the https port -no_tls: False - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handle directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -tls_fingerprints: [] -# tls_fingerprints: [{"sha256": ""}] - - -## Server ## - -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. -server_name: "{{ matrix_synapse_server_name }}" - -# When running as a daemon, the file to store the pid in -pid_file: /opt/synapse/var/run/homeserver.pid - -# CPU affinity mask. Setting this restricts the CPUs on which the -# process will be scheduled. It is represented as a bitmask, with the -# lowest order bit corresponding to the first logical CPU and the -# highest order bit corresponding to the last logical CPU. Not all CPUs -# may exist on a given system but a mask may specify more CPUs than are -# present. -# -# For example: -# 0x00000001 is processor #0, -# 0x00000003 is processors #0 and #1, -# 0xFFFFFFFF is all processors (#0 through #31). -# -# Pinning a Python process to a single CPU is desirable, because Python -# is inherently single-threaded due to the GIL, and can suffer a -# 30-40% slowdown due to cache blow-out and thread context switching -# if the scheduler happens to schedule the underlying threads across -# different cores. See -# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. -# -# cpu_affinity: 0xFFFFFFFF - -# Whether to serve a web client from the HTTP/HTTPS root resource. -web_client: false - -# The root directory to server for the above web client. -# If left undefined, synapse will serve the matrix-angular-sdk web client. -# Make sure matrix-angular-sdk is installed with pip if web_client is True -# and web_client_location is undefined -# web_client_location: "/path/to/web/root" - -# The public-facing base URL for the client API (not including _matrix/...) -public_baseurl: {{ matrix_synapse_baseurl }} - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -soft_file_limit: 0 - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is -1, means no upper limit. -# filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# block_non_admin_invites: True - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -listeners: - # Unsecure HTTP listener, - # For when matrix traffic passes through loadbalancer that unwraps TLS. - - port: {{ matrix_synapse_port_prefix }}01 - tls: false - bind_addresses: ['127.0.0.1'] - type: http - - x_forwarded: false - - resources: - - names: [client, webclient] - compress: false - - names: [federation] - compress: false - - -# Database configuration -database: - # The database engine name - name: "psycopg2" - # Arguments to pass to the engine - args: - user: "{{ matrix_synapse_pg_user }}" - password: "{{ matrix_synapse_pg_pass }}" - database: "{{ matrix_synapse_pg_db }}" - host: "{{ matrix_synapse_pg_host }}" - cp_min: 5 - cp_max: 10 - -# Number of events to cache in memory. -event_cache_size: "10K" - -# A yaml python logging config file -log_config: "{{ matrix_synapse_log_config }}" - -## Ratelimiting ## - -# Number of messages a client can send per second -rc_messages_per_second: 0.2 - -# Number of message a client can send before being throttled -rc_message_burst_count: 10.0 - -# The federation window size in milliseconds -federation_rc_window_size: 1000 - -# The number of federation requests from a single server in a window -# before the server will delay processing the request. -federation_rc_sleep_limit: 10 - -# The duration in milliseconds to delay processing events from -# remote servers by if they go over the sleep limit. -federation_rc_sleep_delay: 500 - -# The maximum number of concurrent federation requests allowed -# from a single server -federation_rc_reject_limit: 50 - -# The number of federation requests to concurrently process from a -# single server -federation_rc_concurrent: 3 - -# Directory where uploaded images and attachments are stored. -media_store_path: "{{ matrix_synapse_media_store_path }}" - -# A secondary directory where uploaded images and attachments are -# stored as a backup. -# backup_media_store_path: "/opt/synapse/media_store" - -# Whether to wait for successful write to backup media store before -# returning successfully. -# synchronous_backup_media_store: false - -# Directory where in-progress uploads are stored. -uploads_path: "{{ matrix_synapse_uploads_path }}" - -# The largest allowed upload size in bytes -max_upload_size: "10M" - -# Maximum number of pixels that will be thumbnailed -max_image_pixels: "32M" - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -dynamic_thumbnails: false - -# List of thumbnail to precalculate when an image is uploaded. -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale - -# Is the preview URL API enabled? If enabled, you *must* specify -# an explicit url_preview_ip_range_blacklist of IPs that the spider is -# denied from accessing. -url_preview_enabled: False - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' -# -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -# url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - - - - -## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. - -# This Home Server's ReCAPTCHA public key. -recaptcha_public_key: "YOUR_PUBLIC_KEY" - -# This Home Server's ReCAPTCHA private key. -recaptcha_private_key: "YOUR_PRIVATE_KEY" - -# Enables ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -enable_registration_captcha: False - -# A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" - -# The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" - - -## Turn ## - -# The public URIs of the TURN server to give to clients -turn_uris: ["{{ matrix_synapse_turn_uri}}"] - -# The shared secret used to compute passwords for the TURN server -turn_shared_secret: "{{ matrix_synapse_turn_secret}}" - -# The Username and password if the TURN server needs them and -# does not use a token -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -turn_user_lifetime: "1h" - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -turn_allow_guests: True - - -## Registration ## - -# Enable registration for new users. -enable_registration: True - -# If set, allows registration by anyone who also has the shared -# secret, even if registration is otherwise disabled. -registration_shared_secret: "{{ matrix_synapse_registration_secret }}" - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number of rounds is 12. -bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -allow_guest_access: False - -# The list of identity servers trusted to verify third party -# identifiers by this server. -trusted_third_party_id_servers: - - matrix.org - - vector.im - - riot.im - -# Users who register on this homeserver will automatically be joined -# to these rooms -#auto_join_rooms: -# - "#example:example.com" - - -## Metrics ### - -# Enable collection and rendering of performance metrics -enable_metrics: False -report_stats: False - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" - - -# A list of application service config file to use -app_service_config_files: [] - - -macaroon_secret_key: "{{ matrix_macaroon_key }}" - -# Used to enable access token expiration. -expire_access_token: False - -## Signing Keys ## - -# Path to the signing key to sign messages with -signing_key_path: "{{ matrix_synapse_signing_key_path }}" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key -old_signing_keys: {} -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -key_refresh_interval: "1d" # 1 Day. - -# The trusted servers to download signing keys from. -perspectives: - servers: - "matrix.org": - verify_keys: - "ed25519:auto": - key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" - - - -# Enable SAML2 for registration and login. Uses pysaml2 -# config_path: Path to the sp_conf.py configuration file -# idp_redirect_url: Identity provider URL which will redirect -# the user back to /login/saml2 with proper info. -# See pysaml2 docs for format of config. -#saml2_config: -# enabled: true -# config_path: "/home/tadhack/sp_conf.py" -# idp_redirect_url: "http://tadhack/idp" - - - -# Enable CAS for registration and login. -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #required_attributes: -# # name: value - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -# jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - - - -# Enable password for login. -password_config: - enabled: true - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" - - - -# Enable sending emails for notification events -# Defining a custom URL for Riot is only needed if email notifications -# should contain links to a self-hosted installation of Riot; when set -# the "app_name" setting is ignored. -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# template_dir: res/templates -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# notif_for_new_users: True -# riot_base_url: "http://localhost/riot" - - -# password_providers: -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" - - - -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. - -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true - - -# spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' - - -# Whether to allow non server admins to create groups on this server -enable_group_creation: false - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# group_creation_prefix: "unofficial/" - - - -# User Directory configuration -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to run -# UPDATE user_directory_stream_pos SET stream_id = NULL; -# on your database to tell it to rebuild the user_directory search indexes. -# -#user_directory: -# search_all_users: false From 60fcda6f31d85c720cbd3e63879682f8e2a5edd7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 12 Feb 2019 03:16:03 +0100 Subject: [PATCH 029/167] Add test skeleton --- tests/test.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 tests/test.yml diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..155c884 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +hosts: all +vars: +roles: + - role: matrix-ansible-synapse From 34ce08a032f32daffde37b6451784a787eaade7b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 14 Feb 2019 23:58:14 +0100 Subject: [PATCH 030/167] Expand todo --- TODO.md | 1 + 1 file changed, 1 insertion(+) diff --git a/TODO.md b/TODO.md index c2c890d..b3c10fd 100644 --- a/TODO.md +++ b/TODO.md @@ -1,2 +1,3 @@ * **URGENT** Clean up the variables in README vs. "template" vs. defaults etc. * Create the signing key (tasks/ssl.yml) with openssl rather than inline python 🤮 +* Handle the random string secrets (macaroon, registration key) to ensure idempotense) From 82dd346b1b3e4236b678067c83a64e62a2db7457 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 00:24:21 +0100 Subject: [PATCH 031/167] Adjust variable definitions --- README.md | 35 ++++++++++++++--------------------- defaults/main.yml | 25 +++++++++---------------- vars/main.yml | 9 +++++---- 3 files changed, 28 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 36ed8e6..5f0ef15 100644 --- a/README.md +++ b/README.md @@ -17,39 +17,32 @@ The following should be present on the target system | Name | Type | Description | | :--- | :--- | :--- | | **matrix_server_name** | __string__ | | -| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain | -| **matrix_synapse_tls_key** | __string__ | server's TLS key | +| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain (_when matrix_synapse_skip_tls not set_)| +| **matrix_synapse_tls_key** | __string__ | server's TLS key (_when matrix_synapse_skip_tls not set_)| | **matrix_synapse_report_stats** | __bool__ | Report the stats to matrix.org | +| **matrix_synapse_pg_host** | __sting__ | postgresql server | +| **matrix_synapse_pg_user** | __string__ | postgresql user | +| **matrix_synapse_pg_pass** | __string__ | postgresql user's password | +| **matrix_synapse_pg_db** | __string__ | postgresql database | +| **matrix_synapse_macaroon_secret_key** | __string__ | matrix's macaroon key (make sure not to change it!) | ### Optional Variables -| Name | Value | -| :--- | :--- | -| matrix_synapse_tls_cert_path | "/opt/synapse/tls/{{ matrix_server_name }}.crt" | +| Name | Value | Description | +| :--- | :--- | :--- | +| matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | +| matrix_synapse_tls_cert_path | "/opt/synapse/tls/{{ matrix_server_name }}.crt" | | matrix_synapse_tls_key_path | "/opt/synapse/tls/{{ matrix_server_name }}.key" | | matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | -| matrix_synapse_server_name | "{{ matrix_server_name }}" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | -| matrix_synapse_pg_pass | "{{ matrix_pg_pass }}" | -| matrix_synapse_pg_user | "{{ matrix_pg_user }}" | -| matrix_synapse_pg_db | "{{ matrix_pg_db }}" | -| matrix_synapse_pg_host | "{{ matrix_pg_host }}" | -| matrix_synapse_log_config | "/opt/synapse/{{ matrix_server_name }}.log.config" | | matrix_synapse_media_store_path | "/opt/synapse/media_store" | | matrix_synapse_uploads_path | "/opt/synapse/uploads" | -| matrix_synapse_turn_secret | "{{ matrix_turn_secret }}" | -| matrix_synapse_turn_uri | "{{ matrix_turn_uri }}" | | matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | -| matrix_synapse_macaroon_secret_key | "{{ matrix_macaroon_key }}" | | matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.34.1.1" | +| matrix_synapse_version | "v0.99.1.1" | | matrix_synapse_log_days_keep | 30 | -| matrix_synapse_skip_ssl | false | -| matrix_synapse_pid_file | /opt/synapse/synapse.pid | -| matrix_synapse_manhole | false | -| matrix_synapse_max_upload_size | 23M | -| matrix_synapse_url_preview_enabled | true | -| matrix_sybapse_registration_secret | __randomly generated__ | +| matrix_synapse_skip_tls | false | +| matrix_synapse_registration_secret | _randomly generated_ | ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index cb14a56..5c35dd1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,21 +1,14 @@ --- -matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.crt" -matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.key" -matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.dh" -matrix_synapse_server_name: "{{ matrix_synapse_domain }}" -matrix_synapse_baseurl: "https://{{ matrix_synapse_domain }}" -matrix_synapse_pg_pass: "{{ matrix_pg_pass }}" -matrix_synapse_pg_user: "{{ matrix_pg_user }}" -matrix_synapse_pg_db: "{{ matrix_pg_db }}" -matrix_synapse_pg_host: "{{ matrix_pg_host }}" -matrix_synapse_log_config: "/opt/synapse/{{ matrix_synapse_domain }}.log.config" +matrix_synapse_extra_config: {} +matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" +matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" +matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" +matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_media_store_path: "/opt/synapse/media_store" matrix_synapse_uploads_path: "/opt/synapse/uploads" -matrix_synapse_turn_secret: "{{ matrix_turn_secret }}" -matrix_synapse_turn_uri: "{{ matrix_turn_uri }}" matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" -matrix_synapse_macaroon_secret_key: "{{ matrix_macaroon_key }}" -matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_synapse_domain }}.signing.key" -matrix_synapse_version: "v0.34.1.1" +matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.signing.key" +matrix_synapse_version: "v0.99.1.1" matrix_synapse_log_days_keep: 30 -matrix_synapse_skip_ssl: false +matrix_synapse_skip_tls: false +matrix_synapse_pid_file: /opt/synapse/synapse.pid diff --git a/vars/main.yml b/vars/main.yml index b11f50f..c042dca 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,6 @@ --- -matrix_synapse_config: +matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=true) }}" +matrix_synapse_base_config: server_name: "{{ matrix_server_name }}" tls_certificate_path: "{{ matrix_synapse_tls_cert }}" tls_private_key_path: "{{ matrix_synapse_tls_key }}" @@ -9,9 +10,9 @@ matrix_synapse_config: port: 80 bind_addresses: ['::', '0.0.0.0'] reprovision_threshold: 30 - no_tls: "{{ matrix_synapse_skip_ssl }}" + no_tls: "{{ matrix_synapse_skip_tls }}" tls_fingerprints: [] - pid_file: "{{ matrix_synapse_pid_file }}" + pid_file: "/opt/synapse/synapse.pid" soft_file_limit: 0 use_presence: true listeners: @@ -56,7 +57,7 @@ matrix_synapse_config: federation_rc_concurrent: 3 media_store_path: /opt/synapse/media_store uploads_path: "/uploads" - max_upload_size: "{{ matrix_synapse_max_upload_size }}" + max_upload_size: "23M" max_image_pixels: "32M" dynamic_thumbnails: false thumbnail_sizes: From 8839b46fa1a7c43fd9faa136ca24c22e7a10d3b5 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 00:25:14 +0100 Subject: [PATCH 032/167] Use the new variable format to generate the configuration file --- tasks/configure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index fb27133..81827f4 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -19,8 +19,8 @@ when: matrix_synapse_registration_secret is not defined - name: Deploy config - template: - src: "homeserver.yaml.j2" + copy: + content: "{{ matrix_synapse_config | to_nice_yaml }}" dest: "/opt/synapse/homeserver.yaml" owner: synapse group: synapse From 1b9cb5d67366d6b58a09782d3e085ae342ea3156 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 00:25:35 +0100 Subject: [PATCH 033/167] Use tls in place of ssl --- tasks/crypto.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 87829d8..a2a0e83 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -34,4 +34,4 @@ owner: synapse group: synapse mode: "0600" - when: not matrix_synapse_skip_ssl + when: not matrix_synapse_skip_tls From 66646427d514e13c840e0f8af4eeb5164c7437df Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:06:16 +0100 Subject: [PATCH 034/167] Remove unnesessary variables --- defaults/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5c35dd1..afda8da 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,9 +4,6 @@ matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" -matrix_synapse_media_store_path: "/opt/synapse/media_store" -matrix_synapse_uploads_path: "/opt/synapse/uploads" -matrix_synapse_registration_secret: "{{ matrix_registration_secret }}" matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.signing.key" matrix_synapse_version: "v0.99.1.1" matrix_synapse_log_days_keep: 30 From 6d04100c19d7b8ec9932059055404fc036114c76 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:07:03 +0100 Subject: [PATCH 035/167] Retrieve paths to be created from the matrix config --- tasks/configure.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 81827f4..db03c25 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,14 +1,4 @@ --- -- name: Create directory for media storage - file: - name: "/opt/synapse/{{ item }}" - state: directory - owner: synapse - group: synapse - loop: - - media_store - - uploads - - ssl - name: Generate registration secret block: @@ -18,6 +8,17 @@ matrix_synapse_registration_secret: "{{ pwgen.stdout }}" when: matrix_synapse_registration_secret is not defined +- name: Create directory for media storage + file: + name: "{{ item }}" + state: directory + owner: synapse + group: synapse + loop: + - "{{ matrix_synapse_config.media_store_path }}" + - "{{ matrix_synapse_config.uploads_path }}" + - /opt/synapse/tls + - name: Deploy config copy: content: "{{ matrix_synapse_config | to_nice_yaml }}" From da3267c30f41fdee7c74cf729e33eade1fe09d63 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:07:28 +0100 Subject: [PATCH 036/167] Generate the password locally --- tasks/configure.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/configure.yml b/tasks/configure.yml index db03c25..5b27efc 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -4,6 +4,8 @@ block: - command: /usr/bin/pwgen -sn 84 1 register: pwgen + delegate_to: localhost + become: false - set_fact: matrix_synapse_registration_secret: "{{ pwgen.stdout }}" when: matrix_synapse_registration_secret is not defined From 34cf5e9fafb0d9ff3c2a26050daeaca53481cb84 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:08:08 +0100 Subject: [PATCH 037/167] Notify the correct handler --- tasks/configure.yml | 2 +- tasks/crypto.yml | 2 +- tasks/logging.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 5b27efc..8cfaeec 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -28,7 +28,7 @@ owner: synapse group: synapse notify: - - "restart synapse" + - "restart matrix-synapse" - name: Configure logging import_tasks: logging.yml diff --git a/tasks/crypto.yml b/tasks/crypto.yml index a2a0e83..2f80020 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -11,7 +11,7 @@ become: true become_user: synapse notify: - - "restart synapse" + - "restart matrix-synapse" - name: create DH parameters openssl_dhparam: diff --git a/tasks/logging.yml b/tasks/logging.yml index fb05911..ea3f631 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -25,6 +25,6 @@ owner: synapse group: synapse notify: - - "restart synapse" + - "restart matrix-synapse" From b397a278a6408a0983cfcbf44286fb8cf4e9495a Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:09:11 +0100 Subject: [PATCH 038/167] Use copy instead of file --- tasks/configure.yml | 1 - tasks/logging.yml | 2 +- tasks/systemd.yml | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 8cfaeec..5aaddab 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,5 +1,4 @@ --- - - name: Generate registration secret block: - command: /usr/bin/pwgen -sn 84 1 diff --git a/tasks/logging.yml b/tasks/logging.yml index ea3f631..8929a97 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -19,7 +19,7 @@ dest: /etc/logrotate.d/matrix_synapse - name: Deploy log config - file: + copy: src: "log.config" dest: "/opt/synapse/log.config" owner: synapse diff --git a/tasks/systemd.yml b/tasks/systemd.yml index 1493c63..fd89635 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -1,6 +1,6 @@ --- - name: Deploy service file - file: + copy: src: "matrix-synapse.service" dest: "/etc/systemd/system/matrix-synapse.service" notify: From 6d4c34ef782e6fd9d0b316e93dd1450ad3b4176e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:10:38 +0100 Subject: [PATCH 039/167] Extract signing key creation to module --- library/matrix_signing_key.py | 51 +++++++++++++++++++++++++++++++++++ tasks/crypto.yml | 16 +++++------ 2 files changed, 57 insertions(+), 10 deletions(-) create mode 100644 library/matrix_signing_key.py diff --git a/library/matrix_signing_key.py b/library/matrix_signing_key.py new file mode 100644 index 0000000..9aa6d08 --- /dev/null +++ b/library/matrix_signing_key.py @@ -0,0 +1,51 @@ +#!/bin/python3 +# Copyright: (c) 2018, Emmanouil Kampitakis +# Apache 2.0 + +from ansible.module_utils.basic import AnsibleModule +from signedjson import key +import os + +def write_signing_key(path): + with open(path,'w') as f: + key.write_signing_keys( + f, + [key.generate_signing_key('first')] + ) + +def run_module(): + module_args = dict( + path=dict(type='str', required=True), + ) + + result = dict( + changed=False, + original_message='', + message='' + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) + + signing_key_path = module.params['path'] + + signing_key_exists = os.path.isfile(signing_key_path) + + if not signing_key_exists: + result['changed'] = True + if module.check_mode: + return result + + write_signing_key(signing_key_path) + + module.exit_json(**result) + +def main(): + run_module() + +if __name__ == '__main__': + main() + + diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 2f80020..8881bb4 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -1,15 +1,11 @@ --- +- name: Install singedjson + pip: + name: signedjson + - name: Create signing key - shell: > - /opt/synapse/env/bin/python -c " - from signedjson import key; - with open('{{ matrix_synapse_signing_key_path }}','w') as file: - key.write_signing_keys(file, [key.generate_signing_key('first')]); - " - args: - creates: "{{ matrix_synapse_signing_key_path }}" - become: true - become_user: synapse + matrix_signing_key: + path: "{{ matrix_synapse_signing_key_path }}" notify: - "restart matrix-synapse" From 26d24ed2adb4ed559ec6ac33b571407ccea51549 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:10:56 +0100 Subject: [PATCH 040/167] Become synapse no longer needed --- tasks/deployment.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 1ce81fa..e04e992 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -46,8 +46,6 @@ virtualenv: /opt/synapse/env virtualenv_python: python2.7 extra_args: --upgrade - become: true - become_user: synapse tags: - pre_install @@ -57,8 +55,6 @@ dest: /opt/synapse/synapse accept_hostkey: yes version: "{{ matrix_synapse_version }}" - become_user: synapse - become: true register: clone_synapse tags: - pre_install @@ -68,8 +64,6 @@ name: /opt/synapse/synapse virtualenv: /opt/synapse/env virtualenv_python: python2.7 - become_user: synapse - become: true when: clone_synapse.changed tags: - skip_ansible_lint # skip when clause From 3f1f0bdfb15e24fe3a713343a38d55e539d9f9d7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:11:09 +0100 Subject: [PATCH 041/167] Fix indentation error --- tasks/deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index e04e992..89b5d49 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -32,7 +32,7 @@ - libpq-dev state: present cache_valid_time: 1800 - tags: + tags: - pre_install - name: Create virtualenv From 783fe6b55d7b8d433fdced1f177c7b65ed487349 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:13:31 +0100 Subject: [PATCH 042/167] Add gitignore file --- .gitignore | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 From fc3ecf8cbdd9a364ecaabc65b8f9ba6363ff1d1e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:14:21 +0100 Subject: [PATCH 043/167] Add the testroles directory --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e69de29..508d994 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +tests/roles/ From f2ca9d60f1500b66d92e63569cb00815d09bf203 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:24:30 +0100 Subject: [PATCH 044/167] Add capabilities to test with vagrant --- tests/Vagrantfile | 13 +++++++++++++ tests/ansible.cfg | 3 +++ tests/requirements.yml | 2 ++ tests/test.retry | 1 + tests/test.yml | 26 ++++++++++++++++++++++---- 5 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 tests/Vagrantfile create mode 100644 tests/ansible.cfg create mode 100644 tests/requirements.yml create mode 100644 tests/test.retry diff --git a/tests/Vagrantfile b/tests/Vagrantfile new file mode 100644 index 0000000..bcb6cb0 --- /dev/null +++ b/tests/Vagrantfile @@ -0,0 +1,13 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "debian/stretch64" + + config.vm.network "forwarded_port", guest: 8008, host: 8008 + config.vm.network "forwarded_port", guest: 8448, host: 8448 + + config.vm.provision "ansible" do |ansible| + ansible.playbook = "test.yml" + end +end diff --git a/tests/ansible.cfg b/tests/ansible.cfg new file mode 100644 index 0000000..711a199 --- /dev/null +++ b/tests/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +nocows=1 +roles_path=./roles:./../../ diff --git a/tests/requirements.yml b/tests/requirements.yml new file mode 100644 index 0000000..2ec5ee2 --- /dev/null +++ b/tests/requirements.yml @@ -0,0 +1,2 @@ +--- +- role: geerlingguy.postgresql diff --git a/tests/test.retry b/tests/test.retry new file mode 100644 index 0000000..4ad96d5 --- /dev/null +++ b/tests/test.retry @@ -0,0 +1 @@ +default diff --git a/tests/test.yml b/tests/test.yml index 155c884..89b03d0 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,23 @@ --- -hosts: all -vars: -roles: - - role: matrix-ansible-synapse +- hosts: all + become: true + vars: + dbname: synapse + dbuser: synapse_user + dbpw: synapse_password + roles: + - role: geerlingguy.postgresql + postgresql_databases: + - name: "{{ dbname }}" + postgresql_users: + - name: "{{ dbuser }}" + password: "{{ dbpw }}" + - role: matrix-ansible-synapse + matrix_server_name: localhost + matrix_synapse_skip_tls: true + matrix_synapse_report_stats: false + matrix_synapse_pg_host: localhost + matrix_synapse_pg_user: "{{ dbuser }}" + matrix_synapse_pg_pass: "{{ dbpw }}" + matrix_synapse_pg_db: "{{ dbname }}" + matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" From 737b03496ca7c632065e9d653793968a2653634c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Feb 2019 03:27:08 +0100 Subject: [PATCH 045/167] Fix variables file --- vars/main.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index c042dca..78b5ade 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,9 +1,8 @@ --- -matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=true) }}" -matrix_synapse_base_config: +matrix_synapse_config: server_name: "{{ matrix_server_name }}" - tls_certificate_path: "{{ matrix_synapse_tls_cert }}" - tls_private_key_path: "{{ matrix_synapse_tls_key }}" + tls_certificate_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_cert) }}" + tls_private_key_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_key) }}" acme: enabled: false url: https://acme-v01.api.letsencrypt.org/directory @@ -21,7 +20,7 @@ matrix_synapse_base_config: - '::' - '0.0.0.0' type: http - tls: true + tls: "{{ not matrix_synapse_skip_tls }}" x_forwarded: false resources: - names: [client] @@ -56,7 +55,7 @@ matrix_synapse_base_config: federation_rc_reject_limit: 50 federation_rc_concurrent: 3 media_store_path: /opt/synapse/media_store - uploads_path: "/uploads" + uploads_path: /opt/synapse/uploads max_upload_size: "23M" max_image_pixels: "32M" dynamic_thumbnails: false @@ -115,7 +114,6 @@ matrix_synapse_base_config: track_appservice_user_ips: False macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" expire_access_token: False - form_secret: "{{ matrix_synapse_form_secret }}" signing_key_path: "{{ matrix_synapse_signing_key_path }}" old_signing_keys: {} key_refresh_interval: "1d" # 1 Day. From cf4a70a5c279a8180106c9b54d25939a06d2c709 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 16 Feb 2019 11:25:04 +0100 Subject: [PATCH 046/167] fix matrix_synapse_extra_config --- vars/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 78b5ade..41298c2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,6 @@ --- -matrix_synapse_config: +matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}" +matrix_synapse_base_config: server_name: "{{ matrix_server_name }}" tls_certificate_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_cert) }}" tls_private_key_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_key) }}" From 894b7ff906f3d2f099aeba56227db5f273e8d61b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:10:35 +0100 Subject: [PATCH 047/167] Retireve the Certificate and Key paths from the configs --- README.md | 2 -- defaults/main.yml | 2 -- tasks/crypto.yml | 6 +++--- vars/main.yml | 4 ++-- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5f0ef15..e8f6860 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,6 @@ The following should be present on the target system | Name | Value | Description | | :--- | :--- | :--- | | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | -| matrix_synapse_tls_cert_path | "/opt/synapse/tls/{{ matrix_server_name }}.crt" | -| matrix_synapse_tls_key_path | "/opt/synapse/tls/{{ matrix_server_name }}.key" | | matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_media_store_path | "/opt/synapse/media_store" | diff --git a/defaults/main.yml b/defaults/main.yml index afda8da..6af12ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,5 @@ --- matrix_synapse_extra_config: {} -matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" -matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.signing.key" diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 8881bb4..45b1824 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -5,7 +5,7 @@ - name: Create signing key matrix_signing_key: - path: "{{ matrix_synapse_signing_key_path }}" + path: "{{ matrix_synapse_config.signing_key_path }}" notify: - "restart matrix-synapse" @@ -19,14 +19,14 @@ - name: Write certificate copy: content: "{{ matrix_synapse_tls_cert }}" - dest: "{{ matrix_synapse_tls_cert_path }}" + dest: "{{ matrix_synapse_config.tls_certificate_path }}" owner: synapse group: synapse mode: "0644" - name: Write keyfile copy: content: "{{ matrix_synapse_tls_key }}" - dest: "{{ matrix_synapse_tls_key_path }}" + dest: "{{ matrix_synapse_config.tls_private_key_path }}" owner: synapse group: synapse mode: "0600" diff --git a/vars/main.yml b/vars/main.yml index 78b5ade..e8e15ae 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,8 +1,8 @@ --- matrix_synapse_config: server_name: "{{ matrix_server_name }}" - tls_certificate_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_cert) }}" - tls_private_key_path: "{{ matrix_synapse_skip_tls | ternary(None,matrix_synapse_tls_key) }}" + tls_certificate_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" + tls_private_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" acme: enabled: false url: https://acme-v01.api.letsencrypt.org/directory From 15dc5d49a2a436a8af29702ad446045e0fb01c01 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:52:15 +0100 Subject: [PATCH 048/167] Extract skip tls from configuration --- README.md | 1 - tasks/crypto.yml | 2 +- vars/main.yml | 4 ++-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e8f6860..8286aff 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,6 @@ The following should be present on the target system | matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v0.99.1.1" | | matrix_synapse_log_days_keep | 30 | -| matrix_synapse_skip_tls | false | | matrix_synapse_registration_secret | _randomly generated_ | ## Dependencies diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 45b1824..1a1039c 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -30,4 +30,4 @@ owner: synapse group: synapse mode: "0600" - when: not matrix_synapse_skip_tls + when: not matrix_synapse_config.no_tls diff --git a/vars/main.yml b/vars/main.yml index e8e15ae..eea2d4e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,7 +9,7 @@ matrix_synapse_config: port: 80 bind_addresses: ['::', '0.0.0.0'] reprovision_threshold: 30 - no_tls: "{{ matrix_synapse_skip_tls }}" + no_tls: false tls_fingerprints: [] pid_file: "/opt/synapse/synapse.pid" soft_file_limit: 0 @@ -20,7 +20,7 @@ matrix_synapse_config: - '::' - '0.0.0.0' type: http - tls: "{{ not matrix_synapse_skip_tls }}" + tls: true x_forwarded: false resources: - names: [client] From c8e2ef5350737cb570542e8f8dff36288e038c25 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:52:36 +0100 Subject: [PATCH 049/167] DH parameters are only needed in case of TLS --- tasks/crypto.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 1a1039c..63eb7ad 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -9,13 +9,12 @@ notify: - "restart matrix-synapse" -- name: create DH parameters - openssl_dhparam: - path: "{{ matrix_synapse_dh_path }}" - owner: synapse - - name: Write server's certificate and private key block: + - name: create DH parameters + openssl_dhparam: + path: "{{ matrix_synapse_dh_path }}" + owner: synapse - name: Write certificate copy: content: "{{ matrix_synapse_tls_cert }}" From f2762e811f03ef16386095773f78ad51bfe9544b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:53:05 +0100 Subject: [PATCH 050/167] Homogenise configuration --- vars/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index eea2d4e..42a8caa 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,9 @@ matrix_synapse_config: compress: false - port: 8008 tls: false - bind_addresses: ['::', '0.0.0.0'] + bind_addresses: + - '::' + - '0.0.0.0' type: http x_forwarded: false resources: From b0cdeac8e6f4e86c8d9917ea583d178ad5ddf3e5 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:53:53 +0100 Subject: [PATCH 051/167] Media storage and uploads path are being extracted from configuration file --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 8286aff..a398bc2 100644 --- a/README.md +++ b/README.md @@ -33,8 +33,6 @@ The following should be present on the target system | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | | matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | -| matrix_synapse_media_store_path | "/opt/synapse/media_store" | -| matrix_synapse_uploads_path | "/opt/synapse/uploads" | | matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | | matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v0.99.1.1" | From 0ed349a672cf7522f66e17e3cdb0bcf0308c10eb Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 21:57:26 +0100 Subject: [PATCH 052/167] Make the registration secret mandatory Idempotence is not possible when the secret is being generated on every run --- README.md | 3 +-- tasks/configure.yml | 10 ---------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/README.md b/README.md index a398bc2..9fd55ef 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ The following should be present on the target system | **matrix_synapse_pg_pass** | __string__ | postgresql user's password | | **matrix_synapse_pg_db** | __string__ | postgresql database | | **matrix_synapse_macaroon_secret_key** | __string__ | matrix's macaroon key (make sure not to change it!) | +| **matrix_synapse_registration_secret** | __string__ | matrix's registration secret | ### Optional Variables @@ -33,11 +34,9 @@ The following should be present on the target system | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | | matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | -| matrix_synapse_registration_secret | "{{ matrix_registration_secret }}" | | matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v0.99.1.1" | | matrix_synapse_log_days_keep | 30 | -| matrix_synapse_registration_secret | _randomly generated_ | ## Dependencies diff --git a/tasks/configure.yml b/tasks/configure.yml index 5aaddab..9a6bed0 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,14 +1,4 @@ --- -- name: Generate registration secret - block: - - command: /usr/bin/pwgen -sn 84 1 - register: pwgen - delegate_to: localhost - become: false - - set_fact: - matrix_synapse_registration_secret: "{{ pwgen.stdout }}" - when: matrix_synapse_registration_secret is not defined - - name: Create directory for media storage file: name: "{{ item }}" From aacc10f04ef2b21af5eeab0d23263347113a3fab Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 22:40:11 +0100 Subject: [PATCH 053/167] Adapt test.yml to branch changes --- tests/test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test.yml b/tests/test.yml index 89b03d0..4c24257 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -14,10 +14,12 @@ password: "{{ dbpw }}" - role: matrix-ansible-synapse matrix_server_name: localhost - matrix_synapse_skip_tls: true matrix_synapse_report_stats: false matrix_synapse_pg_host: localhost matrix_synapse_pg_user: "{{ dbuser }}" matrix_synapse_pg_pass: "{{ dbpw }}" matrix_synapse_pg_db: "{{ dbname }}" matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" + matrix_synapse_registration_secret: "ahphae6shuighahxaf9weeBahHieCh8woo6agh6UGh" + matrix_synapse_extra_config: + no_tls: true From b5f805f22c25d2e3cd1a41bb9793336586b5a17c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 16 Feb 2019 11:25:57 +0100 Subject: [PATCH 054/167] support deployment through docker instead of directly onto the host --- .editorconfig | 6 ++ README.md | 4 + defaults/main.yml | 4 + handlers/main.yml | 15 +++- tasks/configure.yml | 19 ++++ tasks/crypto.yml | 1 + tasks/deployment.yml | 145 ++++++++++++++++--------------- tasks/main.yml | 12 ++- tests/.gitignore | 2 + tests/Vagrantfile | 22 +++-- tests/requirements.yml | 2 + tests/test-docker.yml | 35 ++++++++ tests/{test.yml => test-pip.yml} | 4 + 13 files changed, 190 insertions(+), 81 deletions(-) create mode 100644 .editorconfig create mode 100644 tests/.gitignore create mode 100644 tests/test-docker.yml rename tests/{test.yml => test-pip.yml} (85%) diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..485e376 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,6 @@ +root = true + +[*.yml] +insert_final_newline = true +indent_style = space +indent_size = 2 diff --git a/README.md b/README.md index 5f0ef15..cbf5150 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,10 @@ The following should be present on the target system | matrix_synapse_log_days_keep | 30 | | matrix_synapse_skip_tls | false | | matrix_synapse_registration_secret | _randomly generated_ | +| matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | +| matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | + +¹: Docker must be used for both or neither deployment and supervision ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index afda8da..83b6d07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,7 @@ --- matrix_synapse_extra_config: {} +matrix_synapse_deployment_method: pip +matrix_synapse_supervision_method: systemd matrix_synapse_tls_cert_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" matrix_synapse_tls_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" @@ -9,3 +11,5 @@ matrix_synapse_version: "v0.99.1.1" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_tls: false matrix_synapse_pid_file: /opt/synapse/synapse.pid +matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] +matrix_synapse_docker_labels: {} diff --git a/handlers/main.yml b/handlers/main.yml index f37861a..713e1ec 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,13 +4,20 @@ daemon_reload: yes - name: "restart matrix-synapse" - service: - name: "matrix-synapse" - state: restarted - enabled: yes + block: + - service: + name: "matrix-synapse" + state: restarted + enabled: yes + when: matrix_synapse_supervision_method == "systemd" + - docker_container: + name: synapse + state: restarted + when: matrix_synapse_supervision_method == "docker" - name: restart rsyslog become: yes service: name: rsyslog state: restarted + when: matrix_synapse_supervision_method == "systemd" diff --git a/tasks/configure.yml b/tasks/configure.yml index 5aaddab..091697a 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -8,6 +8,23 @@ - set_fact: matrix_synapse_registration_secret: "{{ pwgen.stdout }}" when: matrix_synapse_registration_secret is not defined + +- name: create user + user: + name: synapse + state: present + register: synapse_user + tags: + - pre_install + +- name: create directory + file: + name: /opt/synapse + state: directory + owner: synapse + group: synapse + tags: + - pre_install - name: Create directory for media storage file: @@ -31,6 +48,8 @@ - name: Configure logging import_tasks: logging.yml + when: matrix_synapse_supervision_method == "systemd" + # TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on - name: Create certificates include_tasks: crypto.yml diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 8881bb4..2d5098b 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -12,6 +12,7 @@ - name: create DH parameters openssl_dhparam: path: "{{ matrix_synapse_dh_path }}" + size: 2048 owner: synapse - name: Write server's certificate and private key diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 89b5d49..6bdf6a8 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -1,71 +1,78 @@ --- -- name: create user - user: +- name: install synapse with pip into virtualenv + block: + - name: Install dependencies + apt: + name: + - build-essential + - python2.7-dev + - libffi-dev + - python-pip + - python-setuptools + - sqlite3 + - libssl-dev + - python-virtualenv + - libjpeg-dev + - libxslt1-dev + - git + - libpq-dev + state: present + cache_valid_time: 1800 + tags: + - pre_install + + - name: Create virtualenv + pip: + name: + - pip + - setuptools + - lxml + - psycopg2-binary + - mock + virtualenv: /opt/synapse/env + virtualenv_python: python2.7 + extra_args: --upgrade + tags: + - pre_install + + - name: Clone synapse + git: + repo: https://github.com/matrix-org/synapse + dest: /opt/synapse/synapse + accept_hostkey: yes + version: "{{ matrix_synapse_version }}" + register: clone_synapse + tags: + - pre_install + + - name: Install Synapse + pip: + name: /opt/synapse/synapse + virtualenv: /opt/synapse/env + virtualenv_python: python2.7 + when: clone_synapse.changed + tags: + - skip_ansible_lint # skip when clause + - pre_install + when: matrix_synapse_deployment_method == "pip" + +- name: install synapse with docker + docker_container: name: synapse - state: present - tags: - - pre_install - -- name: create directory - file: - name: /opt/synapse - state: directory - owner: synapse - group: synapse - tags: - - pre_install - -- name: Install dependencies - apt: - name: - - build-essential - - python2.7-dev - - libffi-dev - - python-pip - - python-setuptools - - sqlite3 - - libssl-dev - - python-virtualenv - - libjpeg-dev - - libxslt1-dev - - git - - libpq-dev - state: present - cache_valid_time: 1800 - tags: - - pre_install - -- name: Create virtualenv - pip: - name: - - pip - - setuptools - - lxml - - psycopg2-binary - - mock - virtualenv: /opt/synapse/env - virtualenv_python: python2.7 - extra_args: --upgrade - tags: - - pre_install - -- name: Clone synapse - git: - repo: https://github.com/matrix-org/synapse - dest: /opt/synapse/synapse - accept_hostkey: yes - version: "{{ matrix_synapse_version }}" - register: clone_synapse - tags: - - pre_install - -- name: Install Synapse - pip: - name: /opt/synapse/synapse - virtualenv: /opt/synapse/env - virtualenv_python: python2.7 - when: clone_synapse.changed - tags: - - skip_ansible_lint # skip when clause - - pre_install - + image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}" + ports: "{{ matrix_synapse_docker_ports }}" + labels: "{{ matrix_synapse_docker_labels }}" + restart_policy: unless-stopped + entrypoint: "python" + command: + - "-m" + - "synapse.app.homeserver" + - "-c" + - "/opt/synapse/homeserver.yaml" + user: "{{ synapse_user.uid }}:{{ synapse_user.group }}" + volumes: + - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" + - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" + - "/opt/synapse/homeserver.yaml:/opt/synapse/homeserver.yaml" + - "/opt/synapse/tls:/opt/synapse/tls" + when: matrix_synapse_deployment_method == "docker" diff --git a/tasks/main.yml b/tasks/main.yml index 3bb19c3..d1c9487 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,9 +1,15 @@ --- -- name: deploy synapse - import_tasks: deployment.yml - +- name: check that sypervision and deployment are compatible + fail: + msg: "Either both or neither of deployment and supervision method should be docker." + when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or (matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker") + - name: configure synapse import_tasks: configure.yml +- name: deploy synapse + import_tasks: deployment.yml + - name: configure service import_tasks: systemd.yml + when: matrix_synapse_supervision_method == "systemd" diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 0000000..a058c8c --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1,2 @@ +.vagrant +*.retry diff --git a/tests/Vagrantfile b/tests/Vagrantfile index bcb6cb0..132c5bd 100644 --- a/tests/Vagrantfile +++ b/tests/Vagrantfile @@ -2,12 +2,24 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "debian/stretch64" + config.vm.define "pip" do |pip| + pip.vm.box = "debian/stretch64" - config.vm.network "forwarded_port", guest: 8008, host: 8008 - config.vm.network "forwarded_port", guest: 8448, host: 8448 + pip.vm.network "forwarded_port", guest: 8008, host: 8008 + pip.vm.network "forwarded_port", guest: 8448, host: 8448 - config.vm.provision "ansible" do |ansible| - ansible.playbook = "test.yml" + pip.vm.provision "ansible" do |ansible| + ansible.playbook = "test-pip.yml" + end + end + config.vm.define "docker" do |docker| + docker.vm.box = "debian/stretch64" + + docker.vm.network "forwarded_port", guest: 8008, host: 8009 + docker.vm.network "forwarded_port", guest: 8448, host: 8449 + + docker.vm.provision "ansible" do |ansible| + ansible.playbook = "test-docker.yml" + end end end diff --git a/tests/requirements.yml b/tests/requirements.yml index 2ec5ee2..75f1808 100644 --- a/tests/requirements.yml +++ b/tests/requirements.yml @@ -1,2 +1,4 @@ --- +- role: geerlingguy.pip +- role: geerlingguy.docker - role: geerlingguy.postgresql diff --git a/tests/test-docker.yml b/tests/test-docker.yml new file mode 100644 index 0000000..a693d5b --- /dev/null +++ b/tests/test-docker.yml @@ -0,0 +1,35 @@ +--- +- hosts: all + become: true + vars: + dbname: synapse + dbuser: synapse_user + dbpw: synapse_password + matrix_synapse_deployment_method: docker + matrix_synapse_supervision_method: docker + roles: + - role: geerlingguy.pip + pip_install_packages: + - name: docker + - role: geerlingguy.docker + - role: geerlingguy.postgresql + postgresql_databases: + - name: "{{ dbname }}" + postgresql_users: + - name: "{{ dbuser }}" + password: "{{ dbpw }}" + postgresql_global_config_options: + - option: listen_addresses + value: "172.17.0.1" + postgresql_hba_entries: + - { type: local, database: all, user: all, auth_method: trust } + - { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 } + - role: matrix-ansible-synapse + matrix_server_name: localhost + matrix_synapse_skip_tls: true + matrix_synapse_report_stats: false + matrix_synapse_pg_host: 172.17.0.1 + matrix_synapse_pg_user: "{{ dbuser }}" + matrix_synapse_pg_pass: "{{ dbpw }}" + matrix_synapse_pg_db: "{{ dbname }}" + matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" diff --git a/tests/test.yml b/tests/test-pip.yml similarity index 85% rename from tests/test.yml rename to tests/test-pip.yml index 89b03d0..ed8dcd6 100644 --- a/tests/test.yml +++ b/tests/test-pip.yml @@ -6,12 +6,16 @@ dbuser: synapse_user dbpw: synapse_password roles: + - role: geerlingguy.pip - role: geerlingguy.postgresql postgresql_databases: - name: "{{ dbname }}" postgresql_users: - name: "{{ dbuser }}" password: "{{ dbpw }}" + postgresql_global_config_options: + - option: listen_address + value: "*" - role: matrix-ansible-synapse matrix_server_name: localhost matrix_synapse_skip_tls: true From f86881ce26275f4374e75899bf51e57317a6ab24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 17 Feb 2019 23:26:08 +0100 Subject: [PATCH 055/167] split handlers block into separate handlers --- handlers/main.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 713e1ec..27fc776 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,17 +3,20 @@ systemd: daemon_reload: yes -- name: "restart matrix-synapse" - block: - - service: - name: "matrix-synapse" - state: restarted - enabled: yes - when: matrix_synapse_supervision_method == "systemd" - - docker_container: - name: synapse - state: restarted - when: matrix_synapse_supervision_method == "docker" +- name: "restart matrix-synapse using systemd" + service: + name: "matrix-synapse" + state: restarted + enabled: yes + when: matrix_synapse_supervision_method == "systemd" + listen: "restart matrix-synapse" + +- name: "restart synapse using docker" + docker_container: + name: synapse + state: restarted + when: matrix_synapse_supervision_method == "docker" + listen: "restart matrix-synapse" - name: restart rsyslog become: yes From 58803d90ba69187acc6ad16558d43d537a98bf95 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 23:05:35 +0100 Subject: [PATCH 056/167] Use proper variables in docker playbook --- tests/test-docker.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test-docker.yml b/tests/test-docker.yml index a693d5b..3c26913 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -26,10 +26,12 @@ - { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 } - role: matrix-ansible-synapse matrix_server_name: localhost - matrix_synapse_skip_tls: true matrix_synapse_report_stats: false matrix_synapse_pg_host: 172.17.0.1 matrix_synapse_pg_user: "{{ dbuser }}" matrix_synapse_pg_pass: "{{ dbpw }}" matrix_synapse_pg_db: "{{ dbname }}" matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" + matrix_synapse_registration_secret: "waewi7Joolae8Pahh1eePhaeJubairieFuhoorie3h" + matrix_synapse_extra_config: + no_tls: true From 06d9b2ea492b287ed397128ed3da5fb862297595 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Sun, 17 Feb 2019 23:50:22 +0100 Subject: [PATCH 057/167] Docker containers do not support restarted statement --- handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 27fc776..937962a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,7 +14,8 @@ - name: "restart synapse using docker" docker_container: name: synapse - state: restarted + state: started + restart: yes when: matrix_synapse_supervision_method == "docker" listen: "restart matrix-synapse" From 71c4f3b2a40abf7d9574043be2010387836c00bc Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 18 Feb 2019 00:27:45 +0100 Subject: [PATCH 058/167] Make the ansible linter happy remove trailing whitespaces --- .editorconfig | 1 + tasks/configure.yml | 2 +- tasks/main.yml | 2 +- tests/test-docker.yml | 6 +++--- tests/test-pip.yml | 4 ++-- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.editorconfig b/.editorconfig index 485e376..5f98854 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,4 +1,5 @@ root = true +trim_trailing_whitespace = true [*.yml] insert_final_newline = true diff --git a/tasks/configure.yml b/tasks/configure.yml index 35612a1..d5f1c94 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -25,7 +25,7 @@ loop: - "{{ matrix_synapse_config.media_store_path }}" - "{{ matrix_synapse_config.uploads_path }}" - - /opt/synapse/tls + - /opt/synapse/tls - name: Deploy config copy: diff --git a/tasks/main.yml b/tasks/main.yml index d1c9487..6ea1b0e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ fail: msg: "Either both or neither of deployment and supervision method should be docker." when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or (matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker") - + - name: configure synapse import_tasks: configure.yml diff --git a/tests/test-docker.yml b/tests/test-docker.yml index 3c26913..bb22b61 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -9,14 +9,14 @@ matrix_synapse_supervision_method: docker roles: - role: geerlingguy.pip - pip_install_packages: + pip_install_packages: - name: docker - role: geerlingguy.docker - role: geerlingguy.postgresql postgresql_databases: - - name: "{{ dbname }}" + - name: "{{ dbname }}" postgresql_users: - - name: "{{ dbuser }}" + - name: "{{ dbuser }}" password: "{{ dbpw }}" postgresql_global_config_options: - option: listen_addresses diff --git a/tests/test-pip.yml b/tests/test-pip.yml index d9e8ba2..04883bf 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -9,9 +9,9 @@ - role: geerlingguy.pip - role: geerlingguy.postgresql postgresql_databases: - - name: "{{ dbname }}" + - name: "{{ dbname }}" postgresql_users: - - name: "{{ dbuser }}" + - name: "{{ dbuser }}" password: "{{ dbpw }}" postgresql_global_config_options: - option: listen_address From fd552334b7884eee2aaf9bbfd45cf90b2c608c9f Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 18 Feb 2019 00:39:24 +0100 Subject: [PATCH 059/167] Add Gitlab-Ci --- .gitlab-ci.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..4fc1ea3 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,24 @@ +--- +# -*- coding: utf-8 -*- + +before_script: + - apt-get update -qy + - apt-get install -y python-dev python-pip + - git submodule update --init + - pip install --upgrade ansible ansible-lint + - ansible --version + - ansible-lint --version + +stages: + - ansible-lint + - ansible-syntax-check + +ansible-lint-pip: + stage: ansible-lint + script: + - ansible-lint tests/test-pip.yml + +ansible-lint-docker: + stage: ansible-docker + script: + - ansible-lint tests/test-docker.yml From c988a6be8964b9b138f37c41db1b6fe4c696d353 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 18 Feb 2019 00:41:46 +0100 Subject: [PATCH 060/167] Fix typo in gitlab-ci docker --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4fc1ea3..5d3ed4a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,6 @@ ansible-lint-pip: - ansible-lint tests/test-pip.yml ansible-lint-docker: - stage: ansible-docker + stage: ansible-lint script: - ansible-lint tests/test-docker.yml From 9a85f32686f892ecc2e5fe27e86ff3303ed66bb0 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 18 Feb 2019 00:47:45 +0100 Subject: [PATCH 061/167] Make the linter happy --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6ea1b0e..6608935 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,7 +2,8 @@ - name: check that sypervision and deployment are compatible fail: msg: "Either both or neither of deployment and supervision method should be docker." - when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or (matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker") + when: (matrix_synapse_supervision_method == "docker" and matrix_synapse_deployment_method != "docker") or + (matrix_synapse_deployment_method == "docker" and matrix_synapse_supervision_method != "docker") - name: configure synapse import_tasks: configure.yml From e51934337db845a3d564850e8b7fd455d8bb4e5c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Wed, 20 Feb 2019 22:13:41 +0100 Subject: [PATCH 062/167] Removed done todo's --- TODO.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/TODO.md b/TODO.md index b3c10fd..ce80ca1 100644 --- a/TODO.md +++ b/TODO.md @@ -1,3 +1 @@ -* **URGENT** Clean up the variables in README vs. "template" vs. defaults etc. -* Create the signing key (tasks/ssl.yml) with openssl rather than inline python 🤮 * Handle the random string secrets (macaroon, registration key) to ensure idempotense) From 8b60bb79c8a448f5ce4ca096f346150c4ebd0273 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:28:13 +0100 Subject: [PATCH 063/167] Update todos --- TODO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TODO.md b/TODO.md index ce80ca1..97434a0 100644 --- a/TODO.md +++ b/TODO.md @@ -1 +1 @@ -* Handle the random string secrets (macaroon, registration key) to ensure idempotense) +* Make synapse base path configurable instead of hard coded to /opt/synapse From 0ff17b570e1078d1c04ae3ce3cf4b23fee1d681b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:28:43 +0100 Subject: [PATCH 064/167] Add default value for base path and secrets directory --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index a95c8dc..8700a4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,8 @@ matrix_synapse_extra_config: {} matrix_synapse_deployment_method: pip matrix_synapse_supervision_method: systemd +matrix_synapse_base_path: "/opt/synapse" +matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.signing.key" From 036873063c8ede6aa1f6fd0759018e6f8e13b8e2 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:29:45 +0100 Subject: [PATCH 065/167] Generate the necessary secrets if they do not exist --- tasks/configure.yml | 25 +++++++++++++++++++++++-- tasks/generate_secret.yml | 24 ++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 tasks/generate_secret.yml diff --git a/tasks/configure.yml b/tasks/configure.yml index d5f1c94..e0ac0af 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -9,16 +9,37 @@ - name: create directory file: - name: /opt/synapse + path: /opt/synapse state: directory owner: synapse group: synapse tags: - pre_install +- name: Create secrets directory + file: + path: "{{ matrix_synapse_secrets_path }}" + state: directory + owner: synapse + group: synapse + tags: + - pre_install + +- name: Generate secrets + include_tasks: generate_secret.yml + loop: + - file: "macaroon.key" + var: "macaroon_file" + - file: "registration.key" + var: "registration_shared_secret_file" + - file: "form.key" + var: "form_secret_file" + loop_control: + loop_var: secret + - name: Create directory for media storage file: - name: "{{ item }}" + path: "{{ item }}" state: directory owner: synapse group: synapse diff --git a/tasks/generate_secret.yml b/tasks/generate_secret.yml new file mode 100644 index 0000000..c7fb3cb --- /dev/null +++ b/tasks/generate_secret.yml @@ -0,0 +1,24 @@ +--- +- name: Set full file path + set_fact: + secret_file_path: "{{ matrix_synapse_secrets_path }}/{{ secret.file }}" + +- name: Check if secret exists + stat: + path: "{{ secret_file_path }}" + register: secret_file_stat + +- name: Generate random string + copy: + content: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=42') }}" + dest: "{{ secret_file_path }}" + owner: synapse + group: synapse + mode: "0600" + when: + - not secret_file_stat.stat.exists + +- name: Retrieve secret + slurp: + src: "{{ secret_file_path }}" + register: "{{ secret.var }}" From e5bd140f5e318189895adc2beab3cb36c257c59c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:31:03 +0100 Subject: [PATCH 066/167] Adjust README to reflect changes in role --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7d9dab5..6e88e62 100644 --- a/README.md +++ b/README.md @@ -24,13 +24,13 @@ The following should be present on the target system | **matrix_synapse_pg_user** | __string__ | postgresql user | | **matrix_synapse_pg_pass** | __string__ | postgresql user's password | | **matrix_synapse_pg_db** | __string__ | postgresql database | -| **matrix_synapse_macaroon_secret_key** | __string__ | matrix's macaroon key (make sure not to change it!) | -| **matrix_synapse_registration_secret** | __string__ | matrix's registration secret | ### Optional Variables | Name | Value | Description | | :--- | :--- | :--- | +| matrix_synapse_base_path | "/opt/synapse" | _This is not yet consistently used. **DO NOT RELY ON IT**. Lookout for future releases_ +| matrix_synapse_secrets_path | "{{ matrix_synapse_base_path }}/secrets" | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | | matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | From e573e676a5b4102562d7d5a2272cadea57d7362d Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:31:43 +0100 Subject: [PATCH 067/167] Adjust tests for changes in role --- tests/test-docker.yml | 2 -- tests/test-pip.yml | 2 -- tests/test.retry | 1 - 3 files changed, 5 deletions(-) delete mode 100644 tests/test.retry diff --git a/tests/test-docker.yml b/tests/test-docker.yml index bb22b61..98d52ef 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -31,7 +31,5 @@ matrix_synapse_pg_user: "{{ dbuser }}" matrix_synapse_pg_pass: "{{ dbpw }}" matrix_synapse_pg_db: "{{ dbname }}" - matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" - matrix_synapse_registration_secret: "waewi7Joolae8Pahh1eePhaeJubairieFuhoorie3h" matrix_synapse_extra_config: no_tls: true diff --git a/tests/test-pip.yml b/tests/test-pip.yml index 04883bf..48d32fc 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -23,7 +23,5 @@ matrix_synapse_pg_user: "{{ dbuser }}" matrix_synapse_pg_pass: "{{ dbpw }}" matrix_synapse_pg_db: "{{ dbname }}" - matrix_synapse_macaroon_secret_key: "THIS_IS_TOTALLY_SECRET_1337_L33T_HaxXxOR" - matrix_synapse_registration_secret: "ahphae6shuighahxaf9weeBahHieCh8woo6agh6UGh" matrix_synapse_extra_config: no_tls: true diff --git a/tests/test.retry b/tests/test.retry deleted file mode 100644 index 4ad96d5..0000000 --- a/tests/test.retry +++ /dev/null @@ -1 +0,0 @@ -default From cffcbbb1356797d84b2a31d14bca0c8a3ea461e7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 01:34:50 +0100 Subject: [PATCH 068/167] Use generated/retrieved secrets in the config --- vars/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 057c379..c0700f1 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -99,7 +99,9 @@ matrix_synapse_base_config: - netloc: '*.t.co' max_spider_size: "10M" enable_registration: False - registration_shared_secret: "{{ matrix_synapse_registration_secret }}" + registration_shared_secret: > + "{{ registration_shared_secret_file.content | b64decode }}" + form_secret: "{{ form_secret_file.content | b64decode }}" bcrypt_rounds: 12 allow_guest_access: False trusted_third_party_id_servers: @@ -115,7 +117,7 @@ matrix_synapse_base_config: - "m.room.name" app_service_config_files: [] track_appservice_user_ips: False - macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" + macaroon_secret_key: "{{ macaroon_file.content | b64decode }}" expire_access_token: False signing_key_path: "{{ matrix_synapse_signing_key_path }}" old_signing_keys: {} From f6e9b7ce22676cc6c9856fa8f2be699affba249e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 23:15:38 +0100 Subject: [PATCH 069/167] Use the configurable matrix in the defaults --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8700a4f..1251879 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,12 +4,12 @@ matrix_synapse_deployment_method: pip matrix_synapse_supervision_method: systemd matrix_synapse_base_path: "/opt/synapse" matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" -matrix_synapse_dh_path: "/opt/synapse/tls/{{ matrix_server_name }}.dh" +matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" -matrix_synapse_signing_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.signing.key" +matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" matrix_synapse_version: "v0.99.1.1" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_tls: false -matrix_synapse_pid_file: /opt/synapse/synapse.pid +matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} From 82e1d235271448d5d0fa29d38ed6fc9ddbe3ceb9 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 23:16:22 +0100 Subject: [PATCH 070/167] Template the systemd file --- files/matrix-synapse.service | 16 ---------------- tasks/systemd.yml | 4 ++-- templates/matrix-synapse.service.j2 | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 18 deletions(-) delete mode 100644 files/matrix-synapse.service create mode 100644 templates/matrix-synapse.service.j2 diff --git a/files/matrix-synapse.service b/files/matrix-synapse.service deleted file mode 100644 index f9dd57e..0000000 --- a/files/matrix-synapse.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description="Matrix Synapse Server (synapse)" - -[Service] -Type=simple -WorkingDirectory=/opt/synapse -ExecStart=/opt/synapse/env/bin/python -m synapse.app.homeserver --config-path=/opt/synapse/homeserver.yaml --log-config=/opt/synapse/log.config -ExecStop=/opt/synapse/env/bin/synctl stop /opt/synapse/homeserver.yaml -User=synapse -Group=synapse -Restart=always -StandardOutput=syslog -SyslogIdentifier=matrix_synapse - -[Install] -WantedBy=default.target diff --git a/tasks/systemd.yml b/tasks/systemd.yml index fd89635..19e8ea9 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -1,7 +1,7 @@ --- - name: Deploy service file - copy: - src: "matrix-synapse.service" + template: + src: "matrix-synapse.service.j2" dest: "/etc/systemd/system/matrix-synapse.service" notify: - "reload systemd" diff --git a/templates/matrix-synapse.service.j2 b/templates/matrix-synapse.service.j2 new file mode 100644 index 0000000..2818b4e --- /dev/null +++ b/templates/matrix-synapse.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description="Matrix Synapse Server (synapse)" + +[Service] +Type=simple +WorkingDirectory={{ matrix_synapse_base_path }} +ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml --log-config={{ matrix_synapse_base_path }}/log.config +ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml +User=synapse +Group=synapse +Restart=always +StandardOutput=syslog +SyslogIdentifier=matrix_synapse + +[Install] +WantedBy=default.target From 3dc8f51ff734ffdec1cc902fe8c79c0dc6f2285e Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 23:17:57 +0100 Subject: [PATCH 071/167] Use matrix base path in task files --- tasks/configure.yml | 6 +++--- tasks/deployment.yml | 14 +++++++------- tasks/logging.yml | 2 +- vars/main.yml | 10 +++++----- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index e0ac0af..13e2a08 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -9,7 +9,7 @@ - name: create directory file: - path: /opt/synapse + path: "{{ matrix_synapse_base_path }}" state: directory owner: synapse group: synapse @@ -46,12 +46,12 @@ loop: - "{{ matrix_synapse_config.media_store_path }}" - "{{ matrix_synapse_config.uploads_path }}" - - /opt/synapse/tls + - "{{ matrix_synapse_base_path }}/tls" - name: Deploy config copy: content: "{{ matrix_synapse_config | to_nice_yaml }}" - dest: "/opt/synapse/homeserver.yaml" + dest: "{{ matrix_synapse_base_path }}/homeserver.yaml" owner: synapse group: synapse notify: diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 6bdf6a8..7188052 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -29,7 +29,7 @@ - lxml - psycopg2-binary - mock - virtualenv: /opt/synapse/env + virtualenv: "{{ matrix_synapse_base_path }}/env" virtualenv_python: python2.7 extra_args: --upgrade tags: @@ -38,7 +38,7 @@ - name: Clone synapse git: repo: https://github.com/matrix-org/synapse - dest: /opt/synapse/synapse + dest: "{{ matrix_synapse_base_path }}/synapse" accept_hostkey: yes version: "{{ matrix_synapse_version }}" register: clone_synapse @@ -47,8 +47,8 @@ - name: Install Synapse pip: - name: /opt/synapse/synapse - virtualenv: /opt/synapse/env + name: "{{ matrix_synapse_base_path }}/synapse" + virtualenv: "{{ matrix_synapse_base_path }}/env" virtualenv_python: python2.7 when: clone_synapse.changed tags: @@ -68,11 +68,11 @@ - "-m" - "synapse.app.homeserver" - "-c" - - "/opt/synapse/homeserver.yaml" + - "{{ matrix_synapse_base_path }}/homeserver.yaml" user: "{{ synapse_user.uid }}:{{ synapse_user.group }}" volumes: - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" - - "/opt/synapse/homeserver.yaml:/opt/synapse/homeserver.yaml" - - "/opt/synapse/tls:/opt/synapse/tls" + - "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml" + - "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls" when: matrix_synapse_deployment_method == "docker" diff --git a/tasks/logging.yml b/tasks/logging.yml index 8929a97..8c22f7b 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -21,7 +21,7 @@ - name: Deploy log config copy: src: "log.config" - dest: "/opt/synapse/log.config" + dest: "{{ matrix_synapse_base_path }}/log.config" owner: synapse group: synapse notify: diff --git a/vars/main.yml b/vars/main.yml index c0700f1..f8f61b0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,8 +2,8 @@ matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}" matrix_synapse_base_config: server_name: "{{ matrix_server_name }}" - tls_certificate_path: "/opt/synapse/tls/{{ matrix_server_name }}.crt" - tls_private_key_path: "/opt/synapse/tls/{{ matrix_server_name }}.key" + tls_certificate_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.crt" + tls_private_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.key" acme: enabled: false url: https://acme-v01.api.letsencrypt.org/directory @@ -12,7 +12,7 @@ matrix_synapse_base_config: reprovision_threshold: 30 no_tls: false tls_fingerprints: [] - pid_file: "/opt/synapse/synapse.pid" + pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" soft_file_limit: 0 use_presence: true listeners: @@ -57,8 +57,8 @@ matrix_synapse_base_config: federation_rc_sleep_delay: 500 federation_rc_reject_limit: 50 federation_rc_concurrent: 3 - media_store_path: /opt/synapse/media_store - uploads_path: /opt/synapse/uploads + media_store_path: "{{ matrix_synapse_base_path }}/media_store" + uploads_path: "{{ matrix_synapse_base_path }}/uploads" max_upload_size: "23M" max_image_pixels: "32M" dynamic_thumbnails: false From 70580816f66a004fd2d8a43e739e0ab2efe8be66 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 23:18:59 +0100 Subject: [PATCH 072/167] Adjust documentation to reflect work in this branch --- README.md | 4 ++-- TODO.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6e88e62..f90d885 100644 --- a/README.md +++ b/README.md @@ -32,9 +32,9 @@ The following should be present on the target system | matrix_synapse_base_path | "/opt/synapse" | _This is not yet consistently used. **DO NOT RELY ON IT**. Lookout for future releases_ | matrix_synapse_secrets_path | "{{ matrix_synapse_base_path }}/secrets" | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | -| matrix_synapse_dh_path | "/opt/synapse/tls/{{ matrix_server_name }}.dh" | +| matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | -| matrix_synapse_signing_key_path | "/opt/synapse/ssl/{{ matrix_server_name }}.signing.key" | +| matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v0.99.1.1" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | diff --git a/TODO.md b/TODO.md index 97434a0..8b13789 100644 --- a/TODO.md +++ b/TODO.md @@ -1 +1 @@ -* Make synapse base path configurable instead of hard coded to /opt/synapse + From 3c04ca951d48fb1e6a76837c06c66dc7a78e2fdc Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 21 Feb 2019 23:19:47 +0100 Subject: [PATCH 073/167] Fix typo in postgresql option --- tests/test-pip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test-pip.yml b/tests/test-pip.yml index 48d32fc..f690b19 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -14,7 +14,7 @@ - name: "{{ dbuser }}" password: "{{ dbpw }}" postgresql_global_config_options: - - option: listen_address + - option: listen_addresses value: "*" - role: matrix-ansible-synapse matrix_server_name: localhost From 9df2db9e320c080b7b7e64110e4c8103b9f0ada3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 22 Feb 2019 10:17:44 +0100 Subject: [PATCH 074/167] remove warning about matrix_synapse_base_path --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f90d885..791bf88 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ The following should be present on the target system | Name | Value | Description | | :--- | :--- | :--- | -| matrix_synapse_base_path | "/opt/synapse" | _This is not yet consistently used. **DO NOT RELY ON IT**. Lookout for future releases_ +| matrix_synapse_base_path | "/opt/synapse" | | matrix_synapse_secrets_path | "{{ matrix_synapse_base_path }}/secrets" | matrix_synapse_extra_config | _None_ | configuration parameters as given in the [synapse configuration file](https://github.com/matrix-org/synapse/tree/master/docs) | | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | From d5200f112218e8f411d624eb0f619aae8b7d3dfb Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 14 Mar 2019 20:47:16 +0100 Subject: [PATCH 075/167] Fix #7: make python version configurable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduced a variable that allows the python version to be configured Default is python3 Vagrant check are ok ✓ --- README.md | 1 + defaults/main.yml | 1 + tasks/deployment.yml | 6 +++--- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 791bf88..794f9ad 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ The following should be present on the target system | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | +| matrix_synapse_python_version | 3 | Default python version (2, 3) to be used | ¹: Docker must be used for both or neither deployment and supervision diff --git a/defaults/main.yml b/defaults/main.yml index 1251879..66e7ffe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,3 +13,4 @@ matrix_synapse_skip_tls: false matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} +matrix_synapse_python_version: "3" diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 7188052..83b7266 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -30,7 +30,7 @@ - psycopg2-binary - mock virtualenv: "{{ matrix_synapse_base_path }}/env" - virtualenv_python: python2.7 + virtualenv_python: "python{{ matrix_synapse_python_version }}" extra_args: --upgrade tags: - pre_install @@ -49,7 +49,7 @@ pip: name: "{{ matrix_synapse_base_path }}/synapse" virtualenv: "{{ matrix_synapse_base_path }}/env" - virtualenv_python: python2.7 + virtualenv_python: "python{{ matrix_synapse_python_version }}" when: clone_synapse.changed tags: - skip_ansible_lint # skip when clause @@ -59,7 +59,7 @@ - name: install synapse with docker docker_container: name: synapse - image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}" + image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}-py{{ matrix_synapse_python_version }}" ports: "{{ matrix_synapse_docker_ports }}" labels: "{{ matrix_synapse_docker_labels }}" restart_policy: unless-stopped From 3c9116b5b1eaa096b49c4e9f45548b0f1ec9e412 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Mar 2019 00:21:26 +0100 Subject: [PATCH 076/167] Bump matrix version to 0.99.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66e7ffe..b9269c5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.1.1" +matrix_synapse_version: "v0.99.2" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_tls: false matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From b79148e241f2d8af0beb7183d887a509ada90da1 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Mar 2019 00:23:18 +0100 Subject: [PATCH 077/167] Use apropriate python version according to selected preference --- tasks/deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 83b7266..88675c9 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -5,7 +5,7 @@ apt: name: - build-essential - - python2.7-dev + - "python{{ (matrix_synapse_python_version == '2') | ternary('2.7', '3') }}-dev" - libffi-dev - python-pip - python-setuptools From d0a2b38a70f10b6e185e4e652746adb07e913d3b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 15 Mar 2019 00:24:22 +0100 Subject: [PATCH 078/167] Add handler todo --- TODO.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TODO.md b/TODO.md index 8b13789..b1ba7ce 100644 --- a/TODO.md +++ b/TODO.md @@ -1 +1 @@ - +- Write a handler to restart the systemd service when upgrading From c0ae9920d84549beb16e6f64a7e55f3e0e5e73e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 24 Mar 2019 16:51:22 +0100 Subject: [PATCH 079/167] make log dir configurable --- defaults/main.yml | 1 + files/matrix_synapse.conf | 2 -- tasks/logging.yml | 7 ++++--- templates/syslog-synapse.conf.j2 | 2 ++ 4 files changed, 7 insertions(+), 5 deletions(-) delete mode 100644 files/matrix_synapse.conf create mode 100644 templates/syslog-synapse.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index b9269c5..d290b22 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,6 +8,7 @@ matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_nam matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" matrix_synapse_version: "v0.99.2" +matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_tls: false matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" diff --git a/files/matrix_synapse.conf b/files/matrix_synapse.conf deleted file mode 100644 index 82a783d..0000000 --- a/files/matrix_synapse.conf +++ /dev/null @@ -1,2 +0,0 @@ -if $programname == 'matrix_synapse' then /var/log/matrix_synapse/matrix_synapse.log -if $programname == 'matrix_synapse' then ~ diff --git a/tasks/logging.yml b/tasks/logging.yml index 8c22f7b..3ac0c76 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -1,14 +1,14 @@ --- - name: create logging folder file: - name: /var/log/synapse/ + name: "{{ matrix_synapse_log_dir }}" state: directory owner: synapse group: synapse - name: copy syslog config - copy: - src: matrix_synapse.conf + template: + src: syslog-synapse.conf.j2 dest: /etc/rsyslog.d/matrix_synapse.conf owner: root notify: restart rsyslog @@ -17,6 +17,7 @@ template: src: logrotate.j2 dest: /etc/logrotate.d/matrix_synapse + owner: root - name: Deploy log config copy: diff --git a/templates/syslog-synapse.conf.j2 b/templates/syslog-synapse.conf.j2 new file mode 100644 index 0000000..d98c550 --- /dev/null +++ b/templates/syslog-synapse.conf.j2 @@ -0,0 +1,2 @@ +if $programname == 'matrix_synapse' then {{ matrix_synapse_log_dir }}/matrix_synapse.log +if $programname == 'matrix_synapse' then ~ From f9e3bcf3c872cc954010c81fef1d45169205b995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 24 Mar 2019 17:06:43 +0100 Subject: [PATCH 080/167] document changes to tls handling --- README.md | 4 ++-- defaults/main.yml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 794f9ad..0335ec0 100644 --- a/README.md +++ b/README.md @@ -17,8 +17,8 @@ The following should be present on the target system | Name | Type | Description | | :--- | :--- | :--- | | **matrix_server_name** | __string__ | | -| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain (_when matrix_synapse_skip_tls not set_)| -| **matrix_synapse_tls_key** | __string__ | server's TLS key (_when matrix_synapse_skip_tls not set_)| +| **matrix_synapse_tls_cert** | __string__ | server's TLS certificate chain (_when matrix_synapse_extra_config.no_tls is set to true_)| +| **matrix_synapse_tls_key** | __string__ | server's TLS key (_when matrix_synapse_extra_config.no_tls is set to true_)| | **matrix_synapse_report_stats** | __bool__ | Report the stats to matrix.org | | **matrix_synapse_pg_host** | __sting__ | postgresql server | | **matrix_synapse_pg_user** | __string__ | postgresql user | diff --git a/defaults/main.yml b/defaults/main.yml index b9269c5..f20ad54 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,7 +9,6 @@ matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" matrix_synapse_version: "v0.99.2" matrix_synapse_log_days_keep: 30 -matrix_synapse_skip_tls: false matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} From 78452b98ebfbd509dde970f4dab62538eb0ddbf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 24 Mar 2019 17:07:00 +0100 Subject: [PATCH 081/167] update default version in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0335ec0..f30239c 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.1.1" | +| matrix_synapse_version | "v0.99.2" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | From 3daaeb213de9e5c09e98799aa4cbcf9d5f3d6848 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 8 Apr 2019 20:30:53 +0200 Subject: [PATCH 082/167] Bumb synapse version to v0.99.3 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 794f9ad..ee9fa07 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.1.1" | +| matrix_synapse_version | "v0.99.3" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index b9269c5..6742314 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.2" +matrix_synapse_version: "v0.99.3" matrix_synapse_log_days_keep: 30 matrix_synapse_skip_tls: false matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 0b606fcc31b2aca41c2c67487f05e68a9774a2e7 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 8 Apr 2019 21:34:31 +0200 Subject: [PATCH 083/167] Add api test to both environments --- tests/test-docker.yml | 11 +++++++++++ tests/test-pip.yml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/tests/test-docker.yml b/tests/test-docker.yml index 98d52ef..9a8117d 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -1,6 +1,17 @@ --- - hosts: all become: true + tasks: + - name: Check if the api returns the correct version + uri: + url: "http://localhost:8008/_matrix/federation/v1/version" + return_content: true + register: api_version + + - name: Check returned api version + fail: > + Return value is not as expected {{ api_version }} + when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version vars: dbname: synapse dbuser: synapse_user diff --git a/tests/test-pip.yml b/tests/test-pip.yml index f690b19..28d24f7 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -5,6 +5,17 @@ dbname: synapse dbuser: synapse_user dbpw: synapse_password + tasks: + - name: Check if the api returns the correct version + uri: + url: "http://localhost:8008/_matrix/federation/v1/version" + return_content: true + register: api_version + + - name: Check returned api version + fail: > + Return value is not as expected {{ api_version }} + when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version roles: - role: geerlingguy.pip - role: geerlingguy.postgresql From 848e75dab6f03f09ad73c5f544846a940957f389 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 8 Apr 2019 23:12:17 +0200 Subject: [PATCH 084/167] Add retries to the http connection test and flush handlers --- tests/test-docker.yml | 6 ++++++ tests/test-pip.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/tests/test-docker.yml b/tests/test-docker.yml index 9a8117d..5352b68 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -2,11 +2,17 @@ - hosts: all become: true tasks: + - name: Flush handlers + meta: flush_handlers + - name: Check if the api returns the correct version uri: url: "http://localhost:8008/_matrix/federation/v1/version" return_content: true register: api_version + until: api_version.status == 200 + retries: 10 + delay: 2 - name: Check returned api version fail: > diff --git a/tests/test-pip.yml b/tests/test-pip.yml index 28d24f7..37ea470 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -6,11 +6,17 @@ dbuser: synapse_user dbpw: synapse_password tasks: + - name: Flush handlers + meta: flush_handlers + - name: Check if the api returns the correct version uri: url: "http://localhost:8008/_matrix/federation/v1/version" return_content: true register: api_version + until: api_version.status == 200 + retries: 10 + delay: 2 - name: Check returned api version fail: > From cf599530c18ad10dafe6de09a72cd0332e766137 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 9 Apr 2019 00:30:30 +0200 Subject: [PATCH 085/167] Notify restart handler when synapse is installed --- tasks/deployment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 88675c9..b4850da 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -54,6 +54,7 @@ tags: - skip_ansible_lint # skip when clause - pre_install + notify: restart matrix-synapse when: matrix_synapse_deployment_method == "pip" - name: install synapse with docker From d81a3b493fcbecf93472fe77ebbac720105271fc Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 9 Apr 2019 00:31:18 +0200 Subject: [PATCH 086/167] Fix fail such that the message returns the expected and the received version --- tests/test-pip.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test-pip.yml b/tests/test-pip.yml index 37ea470..156e607 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -19,8 +19,8 @@ delay: 2 - name: Check returned api version - fail: > - Return value is not as expected {{ api_version }} + fail: + msg: "Return value {{ api_version }} is not as expected {{ matrix_synapse_version }}" when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version roles: - role: geerlingguy.pip From 0ed19f65316f5c374efff32080a9764053ce32f6 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 7 May 2019 00:12:28 +0200 Subject: [PATCH 087/167] Bump synapse version to 0.99.3.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 45f72c7..702cc9b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.3" +matrix_synapse_version: "v0.99.3.2" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 5a05d4cb84ba4dfdaa804629c20ad94fd11bb382 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Wed, 15 May 2019 01:04:06 +0200 Subject: [PATCH 088/167] Download and configure the riot webapp --- tasks/download.yml | 28 ++++++++++++++++++++++++++++ tasks/main.yml | 8 ++++++++ 2 files changed, 36 insertions(+) create mode 100644 tasks/download.yml create mode 100644 tasks/main.yml diff --git a/tasks/download.yml b/tasks/download.yml new file mode 100644 index 0000000..0409b2c --- /dev/null +++ b/tasks/download.yml @@ -0,0 +1,28 @@ +--- +- name: Download riot v{{ riot_version }} + get_url: + url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz" + dest: "/tmp/riot-v{{ riot_version }}.tar.gz" + +- name: Download riot v{{ riot_version }} + get_url: + url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz.asc" + dest: "/tmp/riot-v{{ riot_version }}.tar.gz.asc" + +- name: Retrieve the Riot release key + command: >- + gpg --no-default-keyring --keyring /tmp/riot-key + --recv-keys 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9 + +- name: "Verify riot v{{ riot_version }}'s signature" + command: >- + gpg --no-default-keyring --keyring /tmp/riot-key + --verify /tmp/riot-v{{ riot_version }}.tar.gz.asc + /tmp/riot-v{{ riot_version }}.tar.gz + register: riot_tarball_verification + +- name: Unpack riot + unarchive: + src: "/tmp/riot-v{{ riot_version }}.tar.gz" + dest: "{{ riot_webapp_dir }}" + when: riot_tarball_verification.rc == 0 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..3314368 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Download and install riot web app + import_tasks: download.yml + +- name: Write configuration + copy: + content: "{{ riot_config | to_nice_json }}" + dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.json" From 49b27875cb144e3c40d578cce8d3423238a4320b Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Wed, 15 May 2019 01:04:25 +0200 Subject: [PATCH 089/167] Add default values --- .yamllint | 11 ++++ README.md | 48 +++++++++++++++ defaults/main.yml | 34 ++++++++++ handlers/main.yml | 2 + meta/main.yml | 58 ++++++++++++++++++ molecule/default/Dockerfile.j2 | 14 +++++ molecule/default/INSTALL.rst | 22 +++++++ molecule/default/molecule.yml | 18 ++++++ molecule/default/playbook.yml | 5 ++ .../__pycache__/test_default.cpython-37.pyc | Bin 0 -> 716 bytes molecule/default/tests/test_default.py | 14 +++++ vars/main.yml | 2 + 12 files changed, 228 insertions(+) create mode 100644 .yamllint create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 molecule/default/Dockerfile.j2 create mode 100644 molecule/default/INSTALL.rst create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/playbook.yml create mode 100644 molecule/default/tests/__pycache__/test_default.cpython-37.pyc create mode 100644 molecule/default/tests/test_default.py create mode 100644 vars/main.yml diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..ad0be76 --- /dev/null +++ b/.yamllint @@ -0,0 +1,11 @@ +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable diff --git a/README.md b/README.md new file mode 100644 index 0000000..680ce23 --- /dev/null +++ b/README.md @@ -0,0 +1,48 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should +be mentioned here. For instance, if the role uses the EC2 module, it may be a +good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including +any variables that are in defaults/main.yml, vars/main.yml, and any variables +that can/should be set via parameters to the role. Any variables that are read +from other roles and/or the global scope (ie. hostvars, group vars, etc.) should +be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in +regards to parameters that may need to be set for other roles, or variables that +are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables +passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: ansible-riot-webapp, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a +website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..4490876 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,34 @@ +--- +riot_version: 1.1.1 +riot_webapp_dir: /opt/riot/ +riot_config: + brand: Riot + bug_report_endpoint_url: https://riot.im/bugreports/submit + default_federate: true + default_hs_url: https://matrix.org + default_is_url: https://vector.im + default_theme: light + disable_3pid_login: false + disable_custom_urls: false + disable_guests: false + disable_login_language_selector: false + enable_presence_by_hs_url: + 'https://matrix.org': false + features: + feature_groups: labs + feature_pinning: labs + integrations_jitsi_widget_url: https://scalar.vector.im/api/widgets/jitsi.html + integrations_rest_url: https://scalar.vector.im/api + integrations_ui_url: https://scalar.vector.im/ + piwik: + siteId: 1 + url: https://piwik.riot.im/ + whitelistedHSUrls: + - 'https://matrix.org' + whitelistedISUrls: + - 'https://vector.im' + - 'https://matrix.org' + roomDirectory: + servers: + - matrix.org + welcomeUserId: '@riot-bot:matrix.org' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..bee16e0 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ansible-riot-webapp diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..ba43fdd --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,58 @@ +--- +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 new file mode 100644 index 0000000..e6aa95d --- /dev/null +++ b/molecule/default/Dockerfile.j2 @@ -0,0 +1,14 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 0000000..6a44bde --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,22 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* Docker Engine + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ pip install 'molecule[docker]' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..65faca2 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,18 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: centos:7 +provisioner: + name: ansible + lint: + name: ansible-lint +verifier: + name: testinfra + lint: + name: flake8 diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml new file mode 100644 index 0000000..63e903a --- /dev/null +++ b/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: ansible-riot-webapp diff --git a/molecule/default/tests/__pycache__/test_default.cpython-37.pyc b/molecule/default/tests/__pycache__/test_default.cpython-37.pyc new file mode 100644 index 0000000000000000000000000000000000000000..5854326dab20784f4854f1955284b0cf14289456 GIT binary patch literal 716 zcmZWn&2AGh5VpO$X|j+Yp-PAg2W~kuiv&VKst|3pNR>h=l^=-}(rQ_Ii#Hp4WqYfJ zHW$PT@CM0|XWAf)V=B1{?9gc?PN< zgQ1Ax3MK0sCxnsGEB$4_P}!m6E?VK`7WGy*=~ABtpHb4I_$3;4enKyrBzImMjpKvY z<2XH>yoo2Tj*j1^&kx73^|GqUVY3qg)&o5N)sMhjpe5{G;RU|HCDz-9d}=+9k}1*m z|3tov9<&ifu+y7-3?pXp=!4WoTVF|OhJp19UNPHYXS~f0_Oxcoa4BM?q_Tbkp$$%y zZ0aGge%ott@fE2XfaBM<$js`f=JgI2+5qOAvs9JyDdo{jRxEES_Sea!oN~w+!&Ibm zCNjlkbjlPjIAjddhKoXF(fRq+($Qv8O1WaWk!rqJT(8-TOGP$g|37b*{4=6mm{L|` zO=U*)+}?5t$4=Uk(rfANf-X2Yp`2PoN^^a(mP=$btn>t$Z@hxH~^0ME9NGEvfbU8q`>ym_Rl!b KT>=N+_I?APWZOsp literal 0 HcmV?d00001 diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py new file mode 100644 index 0000000..eedd64a --- /dev/null +++ b/molecule/default/tests/test_default.py @@ -0,0 +1,14 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def test_hosts_file(host): + f = host.file('/etc/hosts') + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..4abe14c --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for ansible-riot-webapp From 923d2a0777fba9ccac39e119c7197cb4953d87a5 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:40:16 +0200 Subject: [PATCH 090/167] m --- molecule/default/molecule.yml | 12 +++++++++++- molecule/default/playbook.yml | 8 ++++++++ molecule/default/requirements.yml | 2 ++ .../test_default.cpython-37-PYTEST.pyc | Bin 0 -> 1930 bytes molecule/default/yamllint.yml | 12 ++++++++++++ 5 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 molecule/default/requirements.yml create mode 100644 molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc create mode 100644 molecule/default/yamllint.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 65faca2..4ea2241 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -5,13 +5,23 @@ driver: name: docker lint: name: yamllint + options: + config-file: molecule/default/yamllint.yml platforms: - name: instance - image: centos:7 + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian9}-ansible" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + pre_build_image: true provisioner: name: ansible lint: name: ansible-lint + playbooks: + converge: ${MOLECULE_PLAYBOOK:-playbook.yml} +scenario: + name: default verifier: name: testinfra lint: diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index 63e903a..bca06a8 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -1,5 +1,13 @@ --- - name: Converge hosts: all + pre_tasks: + - name: install gpg + apt: + state: present + name: + - gpg + - dirmngr + become: true roles: - role: ansible-riot-webapp diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml new file mode 100644 index 0000000..bc70a27 --- /dev/null +++ b/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- role: geerlingguy.nginx diff --git a/molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc b/molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc new file mode 100644 index 0000000000000000000000000000000000000000..98717618200986c1c15006770621cf16314bc706 GIT binary patch literal 1930 zcmcIk&yU+g6rQmi$MGiF?e+&PLMW;P)To<4=~9qb)TP}@D{a$i`K4M&#+#XBopo$$ zX54LpbD^A&ka|W%+8p_3IB`J3k<pCCxC7 zd!R{QF3eRJw_xx$41@}F1d3*OiVHl%Q=>2lI&j!+Vh}S1eNz*Z8N`aMQDtgjR9J;c zDvy?rH zsLb$V{5>$j>Uh|g8l*n83!|_PjA^x~YCXTdlAgv~PxT4rcYwP|nnksb$+BYW8#C)4 zjS%5LgjV?kvsJC_Uph5rgWi>=Cg^p@8M0b95eB<9*Iql(Zh?9jRZxzH%P-0SR{8mr zvN(I1g~96!S)6-e7QZcI@yCCc1wpX4&UYtnhl*ZjKjnfmwTV0|U%x*Vl#5NyDHFT& zkVS%i9kL`!2HEodFU+#eD2-_^k7YyOH*;&(3N^-Y;1UVa`h!NkUVpzt&Ng+-Q%9g z)EQ+$_B{8Bv{bIrF4fEPL8e>TRy~6j1!A00 z&P=toGsien|1Vj;nT>n>a41yT3u7)_Kvk84kjaYy-%s$Y!nK;VZtO7QJP3gRYjf&V2N0>_0mxmGAb)NC(o6Z z+K{ZKge@syWr^O`%C%l!!zK3zi!s+1U*?`N?8DMizI^m6Vs8Wev;S`+%4JA5$Q`APg;BBJ%9Czo@CpfzTJl=|QPI|^J03a`& zbiAw>RJ+Z}6D(_|kgU!zc2Rv}q}+c~X^oOT3){JfV&0w~z<}jR0?n$O`ej82_|4}d z{KjT^WOvICsx)~RF=%#eKt-U7P!>clQUW>$-G+tf9VN;6WRwy(>Yu7#5?3eML956y I;Kr-w-{x8~D*ylh literal 0 HcmV?d00001 diff --git a/molecule/default/yamllint.yml b/molecule/default/yamllint.yml new file mode 100644 index 0000000..c5ae64b --- /dev/null +++ b/molecule/default/yamllint.yml @@ -0,0 +1,12 @@ +--- +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable From 865223e45b31469ce94140d9ca9f0da5a02c4981 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:41:26 +0200 Subject: [PATCH 091/167] Remove trailing whitespaces --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4490876..b40b71b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,7 +14,7 @@ riot_config: disable_login_language_selector: false enable_presence_by_hs_url: 'https://matrix.org': false - features: + features: feature_groups: labs feature_pinning: labs integrations_jitsi_widget_url: https://scalar.vector.im/api/widgets/jitsi.html @@ -25,10 +25,10 @@ riot_config: url: https://piwik.riot.im/ whitelistedHSUrls: - 'https://matrix.org' - whitelistedISUrls: + whitelistedISUrls: - 'https://vector.im' - 'https://matrix.org' roomDirectory: - servers: + servers: - matrix.org welcomeUserId: '@riot-bot:matrix.org' From 449504e17ae7130bc5f3b54e9dcdef6cbc4e2b2c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:41:47 +0200 Subject: [PATCH 092/167] Ensure riot directory exists --- tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 3314368..9ff19dc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: Create riot directory + file: + dest: "{{ riot_webapp_dir }}" + state: directory + - name: Download and install riot web app import_tasks: download.yml From 71502f252c7fa15822777084a74dba45665a064f Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:42:14 +0200 Subject: [PATCH 093/167] Populate metadata --- meta/main.yml | 58 ++++++++++----------------------------------------- 1 file changed, 11 insertions(+), 47 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index ba43fdd..e949f8f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,58 +1,22 @@ --- galaxy_info: - author: your name - description: your description - company: your company (optional) + author: Emmanouil Kampitakis (@madonius) + description: Installs and configures a riot webapplication - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker + license: MIT - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: license (GPLv2, CC-BY, etc) - - min_ansible_version: 1.2 + min_ansible_version: 2.7 # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - # github_branch: + platforms: + - name: Debian + versions: + - all - # - # platforms is a list of platforms, and each platform has a name and a list of versions. - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - matrix + - riot dependencies: [] -# List your role dependencies here, one per line. Be sure to remove the '[]' above, -# if you add dependencies to this list. From e85ff51632ad926a22334e946e53b98d0a87fb55 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:42:38 +0200 Subject: [PATCH 094/167] Download and verify the application --- tasks/download.yml | 74 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/tasks/download.yml b/tasks/download.yml index 0409b2c..144d1a9 100644 --- a/tasks/download.yml +++ b/tasks/download.yml @@ -1,28 +1,56 @@ --- -- name: Download riot v{{ riot_version }} - get_url: - url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz" - dest: "/tmp/riot-v{{ riot_version }}.tar.gz" +- name: Check if riot is already deployed + stat: + path: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}" + register: riot_app_directory -- name: Download riot v{{ riot_version }} - get_url: - url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz.asc" - dest: "/tmp/riot-v{{ riot_version }}.tar.gz.asc" +- name: Deploy riot + block: + - name: Create gpg temporary home directory + file: + dest: /tmp/gpg-tmp + state: directory + mode: 0700 -- name: Retrieve the Riot release key - command: >- - gpg --no-default-keyring --keyring /tmp/riot-key - --recv-keys 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9 + - name: Download riot v{{ riot_version }} + get_url: + url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz" + dest: "/tmp/riot-v{{ riot_version }}.tar.gz" -- name: "Verify riot v{{ riot_version }}'s signature" - command: >- - gpg --no-default-keyring --keyring /tmp/riot-key - --verify /tmp/riot-v{{ riot_version }}.tar.gz.asc - /tmp/riot-v{{ riot_version }}.tar.gz - register: riot_tarball_verification + - name: Download riot v{{ riot_version }} + get_url: + url: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz.asc" + dest: "/tmp/riot-v{{ riot_version }}.tar.gz.asc" -- name: Unpack riot - unarchive: - src: "/tmp/riot-v{{ riot_version }}.tar.gz" - dest: "{{ riot_webapp_dir }}" - when: riot_tarball_verification.rc == 0 + - name: Retrieve the Riot release key # noqa 301 + command: >- + gpg --no-default-keyring + --homedir /tmp/gpg-tmp + --keyring /tmp/gpg-tmp/riot-key + --recv-keys 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9 + register: get_riot_gpg_key + until: get_riot_gpg_key.rc == 0 + retries: 10 + delay: 2 + + - name: "Verify riot v{{ riot_version }}'s signature" # noqa 301 + command: >- + gpg --no-default-keyring + --homedir /tmp/gpg-tmp + --keyring /tmp/gpg-tmp/riot-key + --verify /tmp/riot-v{{ riot_version }}.tar.gz.asc + /tmp/riot-v{{ riot_version }}.tar.gz + register: riot_tarball_verification + + - name: Unpack riot + unarchive: + src: "/tmp/riot-v{{ riot_version }}.tar.gz" + dest: "{{ riot_webapp_dir }}" + remote_src: yes + when: riot_tarball_verification.rc == 0 + + - name: Clean temporary gpg directory + file: + dest: /tmp/gpg-tmp + state: absent + when: not riot_app_directory.stat.exists From 893482bcb7dfda253fcc5e832c7ec45d324ef9fb Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 00:42:48 +0200 Subject: [PATCH 095/167] Add travis yaml --- .travis.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..16b1b27 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,17 @@ +--- +language: python +services: docker + +env: + global: + - ROLE_NAME: ansible-riot-webapp + matrix: + - MOLECULE_DISTRO: debian9 + +install: + - pip install molecule docker + +jobs: + include: + - stage: default + script: molecule test From a7c4a4ac7a846299c16e126bd13100965680fde3 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 01:04:02 +0200 Subject: [PATCH 096/167] Bump riot version --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index b40b71b..ba0dc00 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.1.1 +riot_version: 1.1.2 riot_webapp_dir: /opt/riot/ riot_config: brand: Riot From 5cddfcf5c120fb3084d0b9339d945c99e4e29a41 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 16 May 2019 01:15:35 +0200 Subject: [PATCH 097/167] Populate readme --- README.md | 63 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 680ce23..f06223e 100644 --- a/README.md +++ b/README.md @@ -1,48 +1,51 @@ -Role Name -========= +# Riot Webapp -A brief description of the role goes here. +Dowloads, verifies and deploys the riot webapplication -Requirements ------------- +## Requirements -Any pre-requisites that may not be covered by Ansible itself or the role should -be mentioned here. For instance, if the role uses the EC2 module, it may be a -good idea to mention in this section that the boto package is required. +A webserver to server the application is required. +Additionally, gpg and dirmngr are required for the package verification -Role Variables --------------- +## Role Variables -A description of the settable variables for this role should go here, including -any variables that are in defaults/main.yml, vars/main.yml, and any variables -that can/should be set via parameters to the role. Any variables that are read -from other roles and/or the global scope (ie. hostvars, group vars, etc.) should -be mentioned here as well. +### Mandatory Variables -Dependencies ------------- +__None__ -A list of other roles hosted on Galaxy should go here, plus any details in -regards to parameters that may need to be set for other roles, or variables that -are used from other roles. +### Optional Variables -Example Playbook ----------------- +| Name | Value | Description | +| :--- | :--- | :--- | +| riot_version | 1.1.2 | the riot version to be deployed | +| riot_webapp_dir | /opt/riot/ | location to upack the application | +| riot_config | __See (defaults)[defaults/main.yml] | Dictionary containing the webapp configuration see (riot documentation)[https://github.com/vector-im/riot-web#configjson] for details -Including an example of how to use your role (for instance, with variables -passed in as parameters) is always nice for users too: +## Dependencies - - hosts: servers - roles: - - { role: ansible-riot-webapp, x: 42 } +__None__ + +## Example Playbook + +```yaml +- hosts: servers + tasks: + - name: install gpg and dirmngr + apt: + state: present + name: + - gpg + - dirmngr + roles: + - role: ansible-riot-webapp +``` License ------- -BSD +MIT Author Information ------------------ -An optional section for the role authors to include contact information, or a -website (HTML is not allowed). +(madonius)[https://github.com/madonius] From 2236a263b25ecd7787adde872da0d4801e3f7e13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 19 May 2019 12:01:20 +0200 Subject: [PATCH 098/167] bump version --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2b6cbcb..2ac88d6 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.3" | +| matrix_synapse_version | "v0.99.4" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 702cc9b..0f47603 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.3.2" +matrix_synapse_version: "v0.99.4" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From bb08a954b1122df0df67bd2142d69b1b5eff532f Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 24 May 2019 16:42:48 +0200 Subject: [PATCH 099/167] Circumvent the fact that register is not templatable --- tasks/generate_secret.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tasks/generate_secret.yml b/tasks/generate_secret.yml index c7fb3cb..7ec1331 100644 --- a/tasks/generate_secret.yml +++ b/tasks/generate_secret.yml @@ -17,8 +17,14 @@ mode: "0600" when: - not secret_file_stat.stat.exists - +# TODO: This below is a dirty hack and should be properly revisited - name: Retrieve secret slurp: src: "{{ secret_file_path }}" - register: "{{ secret.var }}" + register: secret_var + +- name: Set secret.var fact + set_fact: > + { + "{{ secret.var }}": "{{ secret_var }}" + } From 1e5fe9e3974e12dec6df61572be9fb74186b2368 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 24 May 2019 18:57:15 +0200 Subject: [PATCH 100/167] Dynamic fact setting works now Still hacky as hell --- tasks/generate_secret.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/generate_secret.yml b/tasks/generate_secret.yml index 7ec1331..8818a28 100644 --- a/tasks/generate_secret.yml +++ b/tasks/generate_secret.yml @@ -24,7 +24,4 @@ register: secret_var - name: Set secret.var fact - set_fact: > - { - "{{ secret.var }}": "{{ secret_var }}" - } + set_fact: { "{{ secret.var }}": "{{ secret_var }}" } From 08c46a8b519d51da49d05381557f63ac624e807c Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 24 May 2019 22:07:06 +0200 Subject: [PATCH 101/167] Bump synapse-version to 0.99.5.1 --- README.md | 2 +- defaults/main.yml | 2 +- synapse | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) create mode 120000 synapse diff --git a/README.md b/README.md index 2ac88d6..8f9de2d 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.4" | +| matrix_synapse_version | "v0.99.5.1" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 0f47603..031dfce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.4" +matrix_synapse_version: "v0.99.5.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" diff --git a/synapse b/synapse new file mode 120000 index 0000000..17c01eb --- /dev/null +++ b/synapse @@ -0,0 +1 @@ +synapse \ No newline at end of file From 4ff1dcfccaeb867955dc401103a237e6c354b74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 4 Jun 2019 16:44:26 +0200 Subject: [PATCH 102/167] bump version to 0.99.5.2 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8f9de2d..f2cfe6d 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.5.1" | +| matrix_synapse_version | "v0.99.5.2" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 031dfce..d4aecf3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.5.1" +matrix_synapse_version: "v0.99.5.2" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 4d0f237a5a56e29945f028c6d1ae13e020cb0f3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 11 Jun 2019 23:28:57 +0200 Subject: [PATCH 103/167] bump version to 1.0.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f2cfe6d..a389e2e 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v0.99.5.2" | +| matrix_synapse_version | "v1.0.0" | | matrix_synapse_log_days_keep | 30 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index d4aecf3..d757d45 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v0.99.5.2" +matrix_synapse_version: "v1.0.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From c519bfc1902e40aa996c76608bdbd68af0de1164 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 11 Jun 2019 23:42:37 +0200 Subject: [PATCH 104/167] Work around an issue with replacing the base image of a container --- tasks/deployment.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index b4850da..f309705 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -64,6 +64,8 @@ ports: "{{ matrix_synapse_docker_ports }}" labels: "{{ matrix_synapse_docker_labels }}" restart_policy: unless-stopped + recreate: true + pull: true entrypoint: "python" command: - "-m" From 88364027b79ba3b9eac7ec7cd39608d285a947f2 Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Thu, 13 Jun 2019 11:23:23 +0200 Subject: [PATCH 105/167] Remove __pycache__ from repo --- .../test_default.cpython-37-PYTEST.pyc | Bin 1930 -> 0 bytes .../__pycache__/test_default.cpython-37.pyc | Bin 716 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc delete mode 100644 molecule/default/tests/__pycache__/test_default.cpython-37.pyc diff --git a/molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc b/molecule/default/tests/__pycache__/test_default.cpython-37-PYTEST.pyc deleted file mode 100644 index 98717618200986c1c15006770621cf16314bc706..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1930 zcmcIk&yU+g6rQmi$MGiF?e+&PLMW;P)To<4=~9qb)TP}@D{a$i`K4M&#+#XBopo$$ zX54LpbD^A&ka|W%+8p_3IB`J3k<pCCxC7 zd!R{QF3eRJw_xx$41@}F1d3*OiVHl%Q=>2lI&j!+Vh}S1eNz*Z8N`aMQDtgjR9J;c zDvy?rH zsLb$V{5>$j>Uh|g8l*n83!|_PjA^x~YCXTdlAgv~PxT4rcYwP|nnksb$+BYW8#C)4 zjS%5LgjV?kvsJC_Uph5rgWi>=Cg^p@8M0b95eB<9*Iql(Zh?9jRZxzH%P-0SR{8mr zvN(I1g~96!S)6-e7QZcI@yCCc1wpX4&UYtnhl*ZjKjnfmwTV0|U%x*Vl#5NyDHFT& zkVS%i9kL`!2HEodFU+#eD2-_^k7YyOH*;&(3N^-Y;1UVa`h!NkUVpzt&Ng+-Q%9g z)EQ+$_B{8Bv{bIrF4fEPL8e>TRy~6j1!A00 z&P=toGsien|1Vj;nT>n>a41yT3u7)_Kvk84kjaYy-%s$Y!nK;VZtO7QJP3gRYjf&V2N0>_0mxmGAb)NC(o6Z z+K{ZKge@syWr^O`%C%l!!zK3zi!s+1U*?`N?8DMizI^m6Vs8Wev;S`+%4JA5$Q`APg;BBJ%9Czo@CpfzTJl=|QPI|^J03a`& zbiAw>RJ+Z}6D(_|kgU!zc2Rv}q}+c~X^oOT3){JfV&0w~z<}jR0?n$O`ej82_|4}d z{KjT^WOvICsx)~RF=%#eKt-U7P!>clQUW>$-G+tf9VN;6WRwy(>Yu7#5?3eML956y I;Kr-w-{x8~D*ylh diff --git a/molecule/default/tests/__pycache__/test_default.cpython-37.pyc b/molecule/default/tests/__pycache__/test_default.cpython-37.pyc deleted file mode 100644 index 5854326dab20784f4854f1955284b0cf14289456..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 716 zcmZWn&2AGh5VpO$X|j+Yp-PAg2W~kuiv&VKst|3pNR>h=l^=-}(rQ_Ii#Hp4WqYfJ zHW$PT@CM0|XWAf)V=B1{?9gc?PN< zgQ1Ax3MK0sCxnsGEB$4_P}!m6E?VK`7WGy*=~ABtpHb4I_$3;4enKyrBzImMjpKvY z<2XH>yoo2Tj*j1^&kx73^|GqUVY3qg)&o5N)sMhjpe5{G;RU|HCDz-9d}=+9k}1*m z|3tov9<&ifu+y7-3?pXp=!4WoTVF|OhJp19UNPHYXS~f0_Oxcoa4BM?q_Tbkp$$%y zZ0aGge%ott@fE2XfaBM<$js`f=JgI2+5qOAvs9JyDdo{jRxEES_Sea!oN~w+!&Ibm zCNjlkbjlPjIAjddhKoXF(fRq+($Qv8O1WaWk!rqJT(8-TOGP$g|37b*{4=6mm{L|` zO=U*)+}?5t$4=Uk(rfANf-X2Yp`2PoN^^a(mP=$btn>t$Z@hxH~^0ME9NGEvfbU8q`>ym_Rl!b KT>=N+_I?APWZOsp From f49cc4e7ce053d16a6cab83e7634a358d1948d86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 18 Jun 2019 18:20:47 +0200 Subject: [PATCH 106/167] fix typo --- tasks/crypto.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/crypto.yml b/tasks/crypto.yml index 63eb7ad..6e4b946 100644 --- a/tasks/crypto.yml +++ b/tasks/crypto.yml @@ -1,5 +1,5 @@ --- -- name: Install singedjson +- name: Install signedjson pip: name: signedjson From 306302ccc91957812f3adbedf51bb76205432b69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 27 Jul 2019 12:46:46 +0200 Subject: [PATCH 107/167] update synapse to 1.2.1 and use conditional requirements --- defaults/main.yml | 3 +-- tasks/deployment.yml | 18 +++++++----------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d757d45..6bd8857 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,10 +7,9 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.0.0" +matrix_synapse_version: "v1.2.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} -matrix_synapse_python_version: "3" diff --git a/tasks/deployment.yml b/tasks/deployment.yml index f309705..23c0b1c 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -4,17 +4,17 @@ - name: Install dependencies apt: name: + - git - build-essential - - "python{{ (matrix_synapse_python_version == '2') | ternary('2.7', '3') }}-dev" - - libffi-dev + - python3-dev + - python-virtualenv - python-pip - python-setuptools - sqlite3 + - libffi-dev - libssl-dev - - python-virtualenv - libjpeg-dev - libxslt1-dev - - git - libpq-dev state: present cache_valid_time: 1800 @@ -26,11 +26,8 @@ name: - pip - setuptools - - lxml - - psycopg2-binary - - mock virtualenv: "{{ matrix_synapse_base_path }}/env" - virtualenv_python: "python{{ matrix_synapse_python_version }}" + virtualenv_python: python3 extra_args: --upgrade tags: - pre_install @@ -47,9 +44,8 @@ - name: Install Synapse pip: - name: "{{ matrix_synapse_base_path }}/synapse" + name: "{{ matrix_synapse_base_path }}/synapse[matrix-synapse-ldap3,postgres,resources.consent,acme,url_preview]" virtualenv: "{{ matrix_synapse_base_path }}/env" - virtualenv_python: "python{{ matrix_synapse_python_version }}" when: clone_synapse.changed tags: - skip_ansible_lint # skip when clause @@ -60,7 +56,7 @@ - name: install synapse with docker docker_container: name: synapse - image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}-py{{ matrix_synapse_python_version }}" + image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}" ports: "{{ matrix_synapse_docker_ports }}" labels: "{{ matrix_synapse_docker_labels }}" restart_policy: unless-stopped From f6d79971f6fafa9af52c7b8d23619f53912ff863 Mon Sep 17 00:00:00 2001 From: Jan Christian Gr??nhage Date: Fri, 16 Aug 2019 00:41:34 +0200 Subject: [PATCH 108/167] update synapse to v1.3.0 this includes changes to the logging configuration --- defaults/main.yml | 2 +- tasks/configure.yml | 2 -- tasks/deployment.yml | 1 + tasks/logging.yml | 38 ++++++++++++++++------------- templates/matrix-synapse.service.j2 | 2 +- vars/main.yml | 1 + 6 files changed, 25 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6bd8857..fb815a3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.2.1" +matrix_synapse_version: "v1.3.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" diff --git a/tasks/configure.yml b/tasks/configure.yml index 13e2a08..eda8b82 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -59,8 +59,6 @@ - name: Configure logging import_tasks: logging.yml - when: matrix_synapse_supervision_method == "systemd" - # TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on - name: Create certificates include_tasks: crypto.yml diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 23c0b1c..a58f217 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -73,5 +73,6 @@ - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" - "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml" + - "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config" - "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls" when: matrix_synapse_deployment_method == "docker" diff --git a/tasks/logging.yml b/tasks/logging.yml index 3ac0c76..7406f3a 100644 --- a/tasks/logging.yml +++ b/tasks/logging.yml @@ -1,23 +1,27 @@ --- -- name: create logging folder - file: - name: "{{ matrix_synapse_log_dir }}" - state: directory - owner: synapse - group: synapse +- name: Logging config (systemd) + block: + - name: create logging folder + file: + name: "{{ matrix_synapse_log_dir }}" + state: directory + owner: synapse + group: synapse -- name: copy syslog config - template: - src: syslog-synapse.conf.j2 - dest: /etc/rsyslog.d/matrix_synapse.conf - owner: root - notify: restart rsyslog + - name: copy syslog config + template: + src: syslog-synapse.conf.j2 + dest: /etc/rsyslog.d/matrix_synapse.conf + owner: root + notify: restart rsyslog -- name: template logrotate config - template: - src: logrotate.j2 - dest: /etc/logrotate.d/matrix_synapse - owner: root + - name: template logrotate config + template: + src: logrotate.j2 + dest: /etc/logrotate.d/matrix_synapse + owner: root + when: matrix_synapse_supervision_method == "systemd" + # TODO: Figure out how to make sure that logging ends up in rsyslog no matter what system we run on - name: Deploy log config copy: diff --git a/templates/matrix-synapse.service.j2 b/templates/matrix-synapse.service.j2 index 2818b4e..2e0adca 100644 --- a/templates/matrix-synapse.service.j2 +++ b/templates/matrix-synapse.service.j2 @@ -4,7 +4,7 @@ Description="Matrix Synapse Server (synapse)" [Service] Type=simple WorkingDirectory={{ matrix_synapse_base_path }} -ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml --log-config={{ matrix_synapse_base_path }}/log.config +ExecStart={{ matrix_synapse_base_path }}/env/bin/python -m synapse.app.homeserver --config-path={{ matrix_synapse_base_path }}/homeserver.yaml ExecStop={{ matrix_synapse_base_path }}/env/bin/synctl stop {{ matrix_synapse_base_path }}/homeserver.yaml User=synapse Group=synapse diff --git a/vars/main.yml b/vars/main.yml index f8f61b0..f149c58 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -49,6 +49,7 @@ matrix_synapse_base_config: host: "{{ matrix_synapse_pg_host }}" cp_min: 5 cp_max: 10 + log_config: "{{ matrix_synapse_base_path }}/log.config" event_cache_size: "10K" rc_messages_per_second: 0.2 rc_message_burst_count: 10.0 From 83291b76fa57718e4572b3c6042ed45bde974535 Mon Sep 17 00:00:00 2001 From: Jan Christian Gr??nhage Date: Sat, 17 Aug 2019 12:33:32 +0200 Subject: [PATCH 109/167] update synapse to v1.3.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index fb815a3..5d41f76 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.3.0" +matrix_synapse_version: "v1.3.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From b7a9e1b5ffaf2bb03c4c037d8c0c335e55e7220b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sun, 19 May 2019 11:57:07 +0200 Subject: [PATCH 110/167] initial docker support --- defaults/main.yml | 5 +++++ tasks/main.yml | 20 +++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ba0dc00..087cf86 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,3 +32,8 @@ riot_config: servers: - matrix.org welcomeUserId: '@riot-bot:matrix.org' +riot_domain_configs: [] +riot_deployment_method: 'webroot' #alternative is 'docker' +riot_docker_ports: [] +riot_docker_labels: {} +riot_docker_volumes: {} diff --git a/tasks/main.yml b/tasks/main.yml index 9ff19dc..6073c28 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,8 +6,26 @@ - name: Download and install riot web app import_tasks: download.yml + when: riot_deployment_method == "webroot" -- name: Write configuration +- name: Write main configuration copy: content: "{{ riot_config | to_nice_json }}" dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.json" + +- name: Write domain specific configurations + copy: + content: "{{ item.config | to_nice_json }}" + dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.{{ item.domain }}.json" + loop: "riot_domain_configs" + +- name: Deploy docker container + docker_container: + docker_container: + name: "riot-web" + image: "docker.io/vectorim/riot-web:{{ riot_version }}" + ports: "{{ riot_docker_ports }}" + labels: "{{ riot_docker_labels }}" + restart_policy: unless-stopped + volumes: "{{ riot_docker_volumes }}" + when: riot_deployment_method == "docker" From 7f1fbe55a5044435d72c6df2a2bb458f93ca65ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 21 Aug 2019 12:29:21 +0200 Subject: [PATCH 111/167] bump version to 1.3.3 --- README.md | 3 ++- defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f06223e..cbd2be0 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ __None__ | Name | Value | Description | | :--- | :--- | :--- | -| riot_version | 1.1.2 | the riot version to be deployed | +| riot_version | 1.3.3 | the riot version to be deployed | | riot_webapp_dir | /opt/riot/ | location to upack the application | | riot_config | __See (defaults)[defaults/main.yml] | Dictionary containing the webapp configuration see (riot documentation)[https://github.com/vector-im/riot-web#configjson] for details @@ -49,3 +49,4 @@ Author Information ------------------ (madonius)[https://github.com/madonius] +(jcgruenhage)[https://jcg.re] diff --git a/defaults/main.yml b/defaults/main.yml index 087cf86..221fbac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.1.2 +riot_version: 1.3.3 riot_webapp_dir: /opt/riot/ riot_config: brand: Riot From 0ee4226648b417215ee416a2f9f6fe71ff4580a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 5 Oct 2019 20:45:18 +0200 Subject: [PATCH 112/167] update synapse version to v1.4.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5d41f76..7e95601 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.3.1" +matrix_synapse_version: "v1.4.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From dedf8afe7e61cee944a6d30900ca0442731034fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 5 Oct 2019 20:46:47 +0200 Subject: [PATCH 113/167] fix tests after migration of repository --- tests/test-docker.yml | 2 +- tests/test-pip.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test-docker.yml b/tests/test-docker.yml index 5352b68..10ca6f5 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -41,7 +41,7 @@ postgresql_hba_entries: - { type: local, database: all, user: all, auth_method: trust } - { type: host, database: "{{ dbname }}", user: "{{ dbuser }}", address: "172.17.0.1/16", auth_method: md5 } - - role: matrix-ansible-synapse + - role: synapse matrix_server_name: localhost matrix_synapse_report_stats: false matrix_synapse_pg_host: 172.17.0.1 diff --git a/tests/test-pip.yml b/tests/test-pip.yml index 156e607..afee0f4 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -33,7 +33,7 @@ postgresql_global_config_options: - option: listen_addresses value: "*" - - role: matrix-ansible-synapse + - role: synapse matrix_server_name: localhost matrix_synapse_report_stats: false matrix_synapse_pg_host: localhost From 1b390bc96147f0229b8f13aeb98a659d8af95fb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 5 Oct 2019 20:49:37 +0200 Subject: [PATCH 114/167] use python3 for ansible --- tests/Vagrantfile | 2 ++ tests/test-docker.yml | 2 ++ tests/test-pip.yml | 3 +++ 3 files changed, 7 insertions(+) diff --git a/tests/Vagrantfile b/tests/Vagrantfile index 132c5bd..a4df5d1 100644 --- a/tests/Vagrantfile +++ b/tests/Vagrantfile @@ -10,6 +10,7 @@ Vagrant.configure("2") do |config| pip.vm.provision "ansible" do |ansible| ansible.playbook = "test-pip.yml" + ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" } end end config.vm.define "docker" do |docker| @@ -20,6 +21,7 @@ Vagrant.configure("2") do |config| docker.vm.provision "ansible" do |ansible| ansible.playbook = "test-docker.yml" + ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" } end end end diff --git a/tests/test-docker.yml b/tests/test-docker.yml index 10ca6f5..a54318d 100644 --- a/tests/test-docker.yml +++ b/tests/test-docker.yml @@ -26,8 +26,10 @@ matrix_synapse_supervision_method: docker roles: - role: geerlingguy.pip + pip_package: python3-pip pip_install_packages: - name: docker + - name: psycopg2-binary - role: geerlingguy.docker - role: geerlingguy.postgresql postgresql_databases: diff --git a/tests/test-pip.yml b/tests/test-pip.yml index afee0f4..6b953e3 100644 --- a/tests/test-pip.yml +++ b/tests/test-pip.yml @@ -24,6 +24,9 @@ when: matrix_synapse_version != "v"~(api_version.content | from_json).server.version roles: - role: geerlingguy.pip + pip_package: python3-pip + pip_install_packages: + - name: psycopg2-binary - role: geerlingguy.postgresql postgresql_databases: - name: "{{ dbname }}" From 4497e8278b76e79bb952daa72abfb0e8e0ab6bd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 5 Oct 2019 20:49:54 +0200 Subject: [PATCH 115/167] start testing on debian buster too --- tests/Vagrantfile | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/tests/Vagrantfile b/tests/Vagrantfile index a4df5d1..8f28292 100644 --- a/tests/Vagrantfile +++ b/tests/Vagrantfile @@ -2,7 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.define "pip" do |pip| + config.vm.define "pip-stretch" do |pip| pip.vm.box = "debian/stretch64" pip.vm.network "forwarded_port", guest: 8008, host: 8008 @@ -13,11 +13,33 @@ Vagrant.configure("2") do |config| ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" } end end - config.vm.define "docker" do |docker| + config.vm.define "pip-buster" do |pip| + pip.vm.box = "debian/buster64" + + pip.vm.network "forwarded_port", guest: 8008, host: 8009 + pip.vm.network "forwarded_port", guest: 8448, host: 8449 + + pip.vm.provision "ansible" do |ansible| + ansible.playbook = "test-pip.yml" + ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" } + end + end + config.vm.define "docker-stretch" do |docker| docker.vm.box = "debian/stretch64" - docker.vm.network "forwarded_port", guest: 8008, host: 8009 - docker.vm.network "forwarded_port", guest: 8448, host: 8449 + docker.vm.network "forwarded_port", guest: 8008, host: 8010 + docker.vm.network "forwarded_port", guest: 8448, host: 8450 + + docker.vm.provision "ansible" do |ansible| + ansible.playbook = "test-docker.yml" + ansible.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" } + end + end + config.vm.define "docker-buster" do |docker| + docker.vm.box = "debian/buster64" + + docker.vm.network "forwarded_port", guest: 8008, host: 8011 + docker.vm.network "forwarded_port", guest: 8448, host: 8451 docker.vm.provision "ansible" do |ansible| ansible.playbook = "test-docker.yml" From e5e3e957b8b4943af14c3a2cdd33b4f0002011f8 Mon Sep 17 00:00:00 2001 From: Jan Christian Gruenhage Date: Mon, 11 Nov 2019 17:14:47 +0100 Subject: [PATCH 116/167] upgrade to 1.5.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7e95601..25e0561 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.4.0" +matrix_synapse_version: "v1.5.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From b4e2a493913a547e49bac114b7e2061b84ea07bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= <517303-jcgruenhage@users.noreply.gitlab.com> Date: Tue, 12 Nov 2019 12:30:07 +0000 Subject: [PATCH 117/167] move container ref to variable --- defaults/main.yml | 1 + tasks/deployment.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 25e0561..892e962 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,3 +13,4 @@ matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} +matrix_synapse_container_ref: "docker.io/matrixdotorg/synapse" diff --git a/tasks/deployment.yml b/tasks/deployment.yml index a58f217..2042353 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -56,7 +56,7 @@ - name: install synapse with docker docker_container: name: synapse - image: "docker.io/matrixdotorg/synapse:{{ matrix_synapse_version }}" + image: "{{ matrix_synapse_container_ref }}:{{ matrix_synapse_version }}" ports: "{{ matrix_synapse_docker_ports }}" labels: "{{ matrix_synapse_docker_labels }}" restart_policy: unless-stopped From 3dc4774391d3c332f9db9c25eaed339f3b765001 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 26 Nov 2019 17:38:01 +0100 Subject: [PATCH 118/167] update to synapse 1.6.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 892e962..2da12b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.5.1" +matrix_synapse_version: "v1.6.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 06a91c9c1e72b721ff6e306f0b9b53bc58043b4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 9 Dec 2019 14:32:20 +0100 Subject: [PATCH 119/167] bump version to 1.6.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2da12b0..6f1eb1f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.6.0" +matrix_synapse_version: "v1.6.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 4a83baf175b1c4a33cbf020ba01192aac7007a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 9 Dec 2019 14:47:21 +0100 Subject: [PATCH 120/167] allow more mounts for docker container --- defaults/main.yml | 1 + tasks/deployment.yml | 7 +------ vars/main.yml | 7 +++++++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6f1eb1f..db45276 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,4 +13,5 @@ matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} +matrix_synapse_extra_docker_volumes: [] matrix_synapse_container_ref: "docker.io/matrixdotorg/synapse" diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 2042353..87c100f 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -69,10 +69,5 @@ - "-c" - "{{ matrix_synapse_base_path }}/homeserver.yaml" user: "{{ synapse_user.uid }}:{{ synapse_user.group }}" - volumes: - - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" - - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" - - "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml" - - "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config" - - "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls" + volumes: "{{ matrix_synapse_docker_volumes }}" when: matrix_synapse_deployment_method == "docker" diff --git a/vars/main.yml b/vars/main.yml index f149c58..40eaf5b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,11 @@ --- +matrix_synapse_docker_volumes: "{{ matrix_synapse_base_docker_volumes + matrix_synapse_extra_docker_volumes }}" +matrix_synapse_base_docker_volumes: + - "{{ matrix_synapse_config.media_store_path }}:{{ matrix_synapse_config.media_store_path }}" + - "{{ matrix_synapse_config.uploads_path }}:{{ matrix_synapse_config.uploads_path }}" + - "{{ matrix_synapse_base_path }}/homeserver.yaml:{{ matrix_synapse_base_path }}/homeserver.yaml" + - "{{ matrix_synapse_base_path }}/log.config:{{ matrix_synapse_base_path }}/log.config" + - "{{ matrix_synapse_base_path }}/tls:{{ matrix_synapse_base_path }}/tls" matrix_synapse_config: "{{ matrix_synapse_base_config | combine(matrix_synapse_extra_config, recursive=True) }}" matrix_synapse_base_config: server_name: "{{ matrix_server_name }}" From a3e3271a12c520ec8027235637e7625d6829f34a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 23 Dec 2019 14:19:10 +0100 Subject: [PATCH 121/167] bump version to 1.7.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index db45276..acb521f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.6.1" +matrix_synapse_version: "v1.7.2" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From d770523ae86fcf65c5ec36a1a73d2903c301958d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Thu, 2 Jan 2020 10:58:24 -0300 Subject: [PATCH 122/167] update synapse --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index acb521f..7c69e82 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.7.2" +matrix_synapse_version: "v1.7.3" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From d97eb1244ecbf0f51b68664ccefcdfea65211e57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Thu, 9 Jan 2020 20:59:06 +0100 Subject: [PATCH 123/167] bump version to 1.8.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7c69e82..0fcb37f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.7.3" +matrix_synapse_version: "v1.8.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 8eb03ab1e1c1f46e35e4aa67ca8611cadd91a442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 20 Jan 2020 17:11:02 +0100 Subject: [PATCH 124/167] Initial commit this commit imports the matrix module from the ansible library and contains two new modules, one for login and one for logout, based on the imported module --- matrix-login.py | 105 +++++++++++++++++++++++++++++++++++ matrix-logout.py | 95 ++++++++++++++++++++++++++++++++ matrix.py | 139 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 339 insertions(+) create mode 100644 matrix-login.py create mode 100644 matrix-logout.py create mode 100644 matrix.py diff --git a/matrix-login.py b/matrix-login.py new file mode 100644 index 0000000..a9b96cc --- /dev/null +++ b/matrix-login.py @@ -0,0 +1,105 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2018, Jan Christian Grünhage +# (c) 2020, Famedly GmbH +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = ''' +--- +author: "Jan Christian Grünhage (@jcgruenhage)" +module: matrix-login +short_description: Get a matrix access token +description: + - Log in to a matrix homeserver and get an access token back +options: + hs_url: + description: + - URL of the homeserver, where the CS-API is reachable + required: true + user_id: + description: + - The user id of the user + required: true + password: + description: + - The password to log in with + required: true +requirements: + - matrix-client (Python library) +''' + +EXAMPLES = ''' +- name: Log in to matrix + matrix: + hs_url: "https://matrix.org" + user_id: "{{ matrix_auth_user }}" + password: "{{ matrix_auth_password }}" +''' + +RETURN = ''' +token: + description: The access token aquired by logging in + returned: When login was successful + type: str +''' +import traceback + +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +MATRIX_IMP_ERR = None +try: + from matrix_client.client import MatrixClient +except ImportError: + MATRIX_IMP_ERR = traceback.format_exc() + matrix_found = False +else: + matrix_found = True + + +def run_module(): + module_args = dict( + hs_url=dict(type='str', required=True), + user_id=dict(type='str', required=True), + password=dict(type='str', required=True, no_log=True), + ) + + result = dict( + changed=False, + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) + + if not matrix_found: + module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + + if module.check_mode: + return result + + # create a client object + client = MatrixClient(module.params['hs_url']) + token = client.login(module.params['user_id'], module.params['password'], sync=False) + + result['token'] = token + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() diff --git a/matrix-logout.py b/matrix-logout.py new file mode 100644 index 0000000..241458d --- /dev/null +++ b/matrix-logout.py @@ -0,0 +1,95 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2018, Jan Christian Grünhage +# (c) 2020, Famedly GmbH +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = ''' +--- +author: "Jan Christian Grünhage (@jcgruenhage)" +module: matrix +short_description: Log out of matrix +description: + - Invalidate an access token by logging out +options: + hs_url: + description: + - URL of the homeserver, where the CS-API is reachable + required: true + token: + description: + - Authentication token for the API call + required: true +requirements: + - matrix-client (Python library) +''' + +EXAMPLES = ''' +- name: Invalidate access token + matrix: + hs_url: "https://matrix.org" + token: "{{ matrix_auth_token }}" +''' + +RETURN = ''' +''' +import traceback + +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +MATRIX_IMP_ERR = None +try: + from matrix_client.client import MatrixClient +except ImportError: + MATRIX_IMP_ERR = traceback.format_exc() + matrix_found = False +else: + matrix_found = True + + +def run_module(): + module_args = dict( + hs_url=dict(type='str', required=True), + token=dict(type='str', required=True, no_log=True), + ) + + result = dict( + changed=False, + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) + + if not matrix_found: + module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + + if module.check_mode: + return result + + # create a client object + client = MatrixClient(module.params['hs_url']) + client.api.token = module.params['token'] + + client.logout() + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() diff --git a/matrix.py b/matrix.py new file mode 100644 index 0000000..658b9a6 --- /dev/null +++ b/matrix.py @@ -0,0 +1,139 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2018, Jan Christian Grünhage +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = ''' +--- +author: "Jan Christian Grünhage (@jcgruenhage)" +module: matrix +short_description: Send notifications to matrix +description: + - This module sends html formatted notifications to matrix rooms. +version_added: "2.8" +options: + msg_plain: + description: + - Plain text form of the message to send to matrix, usually markdown + required: true + msg_html: + description: + - HTML form of the message to send to matrix + required: true + room_id: + description: + - ID of the room to send the notification to + required: true + hs_url: + description: + - URL of the homeserver, where the CS-API is reachable + required: true + token: + description: + - Authentication token for the API call. If provided, user_id and password are not required + user_id: + description: + - The user id of the user + password: + description: + - The password to log in with +requirements: + - matrix-client (Python library) +''' + +EXAMPLES = ''' +- name: Send matrix notification with token + matrix: + msg_plain: "**hello world**" + msg_html: "hello world" + room_id: "!12345678:server.tld" + hs_url: "https://matrix.org" + token: "{{ matrix_auth_token }}" + +- name: Send matrix notification with user_id and password + matrix: + msg_plain: "**hello world**" + msg_html: "hello world" + room_id: "!12345678:server.tld" + hs_url: "https://matrix.org" + user_id: "ansible_notification_bot" + password: "{{ matrix_auth_password }}" +''' + +RETURN = ''' +''' +import traceback + +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +MATRIX_IMP_ERR = None +try: + from matrix_client.client import MatrixClient +except ImportError: + MATRIX_IMP_ERR = traceback.format_exc() + matrix_found = False +else: + matrix_found = True + + +def run_module(): + module_args = dict( + msg_plain=dict(type='str', required=True), + msg_html=dict(type='str', required=True), + room_id=dict(type='str', required=True), + hs_url=dict(type='str', required=True), + token=dict(type='str', required=False, no_log=True), + user_id=dict(type='str', required=False), + password=dict(type='str', required=False, no_log=True), + ) + + result = dict( + changed=False, + message='' + ) + + module = AnsibleModule( + argument_spec=module_args, + mutually_exclusive=[['password', 'token']], + required_one_of=[['password', 'token']], + required_together=[['user_id', 'password']], + supports_check_mode=True + ) + + if not matrix_found: + module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + + if module.check_mode: + return result + + # create a client object + client = MatrixClient(module.params['hs_url']) + if module.params['token'] is not None: + client.api.token = module.params['token'] + else: + client.login(module.params['user_id'], module.params['password'], sync=False) + + # make sure we are in a given room and return a room object for it + room = client.join_room(module.params['room_id']) + # send an html formatted messages + room.send_html(module.params['msg_html'], module.params['msg_plain']) + + module.exit_json(**result) + + +def main(): + run_module() + + +if __name__ == '__main__': + main() From b75788001cd6ab10d39dcf1756f76f727cbb48b0 Mon Sep 17 00:00:00 2001 From: Niklas Zender Date: Mon, 3 Feb 2020 08:23:41 +0000 Subject: [PATCH 125/167] add CODEOWNERS --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..1fe7acf --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @jcgruenhage \ No newline at end of file From e152b0889696ef72a817a146ee405aaefefef2f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 11 Feb 2020 11:12:05 +0100 Subject: [PATCH 126/167] update riot and fix docker deployment --- defaults/main.yml | 4 ++-- tasks/main.yml | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 221fbac..cb3a2d8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- -riot_version: 1.3.3 -riot_webapp_dir: /opt/riot/ +riot_version: 1.5.8 +riot_webapp_dir: /opt/riot riot_config: brand: Riot bug_report_endpoint_url: https://riot.im/bugreports/submit diff --git a/tasks/main.yml b/tasks/main.yml index 6073c28..9eb95ac 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,6 +8,11 @@ import_tasks: download.yml when: riot_deployment_method == "webroot" +- name: Create riot directory for docker configs + file: + dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}" + state: directory + - name: Write main configuration copy: content: "{{ riot_config | to_nice_json }}" @@ -17,13 +22,12 @@ copy: content: "{{ item.config | to_nice_json }}" dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.{{ item.domain }}.json" - loop: "riot_domain_configs" + loop: "{{ riot_domain_configs }}" - name: Deploy docker container docker_container: - docker_container: name: "riot-web" - image: "docker.io/vectorim/riot-web:{{ riot_version }}" + image: "docker.io/vectorim/riot-web:v{{ riot_version }}" ports: "{{ riot_docker_ports }}" labels: "{{ riot_docker_labels }}" restart_policy: unless-stopped From 36aecd6c3e4826420a48dc1cd071ddafd2c242be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 01:45:30 +0100 Subject: [PATCH 127/167] add README, LICENSE and CODEOWNER --- .gitignore | 1 + CODEOWNERS | 1 + LICENSE.md | 660 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 17 ++ 4 files changed, 679 insertions(+) create mode 100644 .gitignore create mode 100644 CODEOWNERS create mode 100644 LICENSE.md create mode 100644 README.md diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0230a23 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +test-settings.sh diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..8ca5458 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @jcgruenhage diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..cba6f6a --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,660 @@ +### GNU AFFERO GENERAL PUBLIC LICENSE + +Version 3, 19 November 2007 + +Copyright (C) 2007 Free Software Foundation, Inc. + + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + +### Preamble + +The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + +The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains +free software for all its users. + +When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + +Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + +A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + +The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + +An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing +under this license. + +The precise terms and conditions for copying, distribution and +modification follow. + +### TERMS AND CONDITIONS + +#### 0. Definitions. + +"This License" refers to version 3 of the GNU Affero General Public +License. + +"Copyright" also means copyright-like laws that apply to other kinds +of works, such as semiconductor masks. + +"The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + +To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of +an exact copy. The resulting work is called a "modified version" of +the earlier work or a work "based on" the earlier work. + +A "covered work" means either the unmodified Program or a work based +on the Program. + +To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + +To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user +through a computer network, with no transfer of a copy, is not +conveying. + +An interactive user interface displays "Appropriate Legal Notices" to +the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + +#### 1. Source Code. + +The "source code" for a work means the preferred form of the work for +making modifications to it. "Object code" means any non-source form of +a work. + +A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + +The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + +The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + +The Corresponding Source need not include anything that users can +regenerate automatically from other parts of the Corresponding Source. + +The Corresponding Source for a work in source code form is that same +work. + +#### 2. Basic Permissions. + +All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + +You may make, run and propagate covered works that you do not convey, +without conditions so long as your license otherwise remains in force. +You may convey covered works to others for the sole purpose of having +them make modifications exclusively for you, or provide you with +facilities for running those works, provided that you comply with the +terms of this License in conveying all material for which you do not +control copyright. Those thus making or running the covered works for +you must do so exclusively on your behalf, under your direction and +control, on terms that prohibit them from making any copies of your +copyrighted material outside their relationship with you. + +Conveying under any other circumstances is permitted solely under the +conditions stated below. Sublicensing is not allowed; section 10 makes +it unnecessary. + +#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + +No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + +When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such +circumvention is effected by exercising rights under this License with +respect to the covered work, and you disclaim any intention to limit +operation or modification of the work as a means of enforcing, against +the work's users, your or third parties' legal rights to forbid +circumvention of technological measures. + +#### 4. Conveying Verbatim Copies. + +You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + +You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + +#### 5. Conveying Modified Source Versions. + +You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these +conditions: + +- a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. +- b) The work must carry prominent notices stating that it is + released under this License and any conditions added under + section 7. This requirement modifies the requirement in section 4 + to "keep intact all notices". +- c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. +- d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + +A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + +#### 6. Conveying Non-Source Forms. + +You may convey a covered work in object code form under the terms of +sections 4 and 5, provided that you also convey the machine-readable +Corresponding Source under the terms of this License, in one of these +ways: + +- a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. +- b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the Corresponding + Source from a network server at no charge. +- c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. +- d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. +- e) Convey the object code using peer-to-peer transmission, + provided you inform other peers where the object code and + Corresponding Source of the work are being offered to the general + public at no charge under subsection 6d. + +A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + +A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, +family, or household purposes, or (2) anything designed or sold for +incorporation into a dwelling. In determining whether a product is a +consumer product, doubtful cases shall be resolved in favor of +coverage. For a particular product received by a particular user, +"normally used" refers to a typical or common use of that class of +product, regardless of the status of the particular user or of the way +in which the particular user actually uses, or expects or is expected +to use, the product. A product is a consumer product regardless of +whether the product has substantial commercial, industrial or +non-consumer uses, unless such uses represent the only significant +mode of use of the product. + +"Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to +install and execute modified versions of a covered work in that User +Product from a modified version of its Corresponding Source. The +information must suffice to ensure that the continued functioning of +the modified object code is in no case prevented or interfered with +solely because modification has been made. + +If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + +The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or +updates for a work that has been modified or installed by the +recipient, or for the User Product in which it has been modified or +installed. Access to a network may be denied when the modification +itself materially and adversely affects the operation of the network +or violates the rules and protocols for communication across the +network. + +Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + +#### 7. Additional Terms. + +"Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + +When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + +Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders +of that material) supplement the terms of this License with terms: + +- a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or +- b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or +- c) Prohibiting misrepresentation of the origin of that material, + or requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or +- d) Limiting the use for publicity purposes of names of licensors + or authors of the material; or +- e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or +- f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions + of it) with contractual assumptions of liability to the recipient, + for any liability that these contractual assumptions directly + impose on those licensors and authors. + +All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + +If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + +Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; the +above requirements apply either way. + +#### 8. Termination. + +You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + +However, if you cease all violation of this License, then your license +from a particular copyright holder is reinstated (a) provisionally, +unless and until the copyright holder explicitly and finally +terminates your license, and (b) permanently, if the copyright holder +fails to notify you of the violation by some reasonable means prior to +60 days after the cessation. + +Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + +Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + +#### 9. Acceptance Not Required for Having Copies. + +You are not required to accept this License in order to receive or run +a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + +#### 10. Automatic Licensing of Downstream Recipients. + +Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + +An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + +You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + +#### 11. Patents. + +A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + +A contributor's "essential patent claims" are all patent claims owned +or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + +Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + +In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + +If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + +If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + +A patent license is "discriminatory" if it does not include within the +scope of its coverage, prohibits the exercise of, or is conditioned on +the non-exercise of one or more of the rights that are specifically +granted under this License. You may not convey a covered work if you +are a party to an arrangement with a third party that is in the +business of distributing software, under which you make payment to the +third party based on the extent of your activity of conveying the +work, and under which the third party grants, to any of the parties +who would receive the covered work from you, a discriminatory patent +license (a) in connection with copies of the covered work conveyed by +you (or copies made from those copies), or (b) primarily for and in +connection with specific products or compilations that contain the +covered work, unless you entered into that arrangement, or that patent +license was granted, prior to 28 March 2007. + +Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + +#### 12. No Surrender of Others' Freedom. + +If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under +this License and any other pertinent obligations, then as a +consequence you may not convey it at all. For example, if you agree to +terms that obligate you to collect a royalty for further conveying +from those to whom you convey the Program, the only way you could +satisfy both those terms and this License would be to refrain entirely +from conveying the Program. + +#### 13. Remote Network Interaction; Use with the GNU General Public License. + +Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your +version supports such interaction) an opportunity to receive the +Corresponding Source of your version by providing access to the +Corresponding Source from a network server at no charge, through some +standard or customary means of facilitating copying of software. This +Corresponding Source shall include the Corresponding Source for any +work covered by version 3 of the GNU General Public License that is +incorporated pursuant to the following paragraph. + +Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + +#### 14. Revised Versions of this License. + +The Free Software Foundation may publish revised and/or new versions +of the GNU Affero General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever +published by the Free Software Foundation. + +If the Program specifies that a proxy can decide which future versions +of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + +Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + +#### 15. Disclaimer of Warranty. + +THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT +WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND +PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE +DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR +CORRECTION. + +#### 16. Limitation of Liability. + +IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR +CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES +ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT +NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR +LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM +TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER +PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +#### 17. Interpretation of Sections 15 and 16. + +If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + +END OF TERMS AND CONDITIONS + +### How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these +terms. + +To do so, attach the following notices to the program. It is safest to +attach them to the start of each source file to most effectively state +the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper +mail. + +If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for +the specific requirements. + +You should also get your employer (if you work as a programmer) or +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. For more information on this, and how to apply and follow +the GNU AGPL, see . diff --git a/README.md b/README.md new file mode 100644 index 0000000..fe1c363 --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ +# Matrix Ansible Modules + +This repo contains a few ansible modules for working with matrix rooms. + +## Installation + +To install these modules so that you can use them, put them into `~/.ansible/plugins/modules/` or for global installation, install them to `/usr/share/ansible/plugins/modules/`. + +## Usage + +For usage examples, look at the doc comments included in the source files for the modules. + +## Contributing +Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. + +## License +[AGPLv3](https://choosealicense.com/licenses/agpl-3.0/) From aea8668d0a6961042cb2485ec25f6a43b28efe06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 10 Feb 2020 18:23:03 +0100 Subject: [PATCH 128/167] migrate modules matrix-nio and add tests --- matrix-login.py | 32 +++++++++----- matrix-logout.py | 25 +++++------ matrix.py => matrix-notification.py | 65 +++++++++++++++++++++-------- test-login-logout.sh | 11 +++++ test-notification.sh | 7 ++++ test-settings.sample.sh | 7 ++++ 6 files changed, 106 insertions(+), 41 deletions(-) rename matrix.py => matrix-notification.py (66%) create mode 100755 test-login-logout.sh create mode 100755 test-notification.sh create mode 100644 test-settings.sample.sh diff --git a/matrix-login.py b/matrix-login.py index a9b96cc..5bf254d 100644 --- a/matrix-login.py +++ b/matrix-login.py @@ -3,7 +3,7 @@ # (c) 2018, Jan Christian Grünhage # (c) 2020, Famedly GmbH -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# GNU Affero General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/agpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type @@ -35,7 +35,7 @@ options: - The password to log in with required: true requirements: - - matrix-client (Python library) + - matrix-nio (Python library) ''' EXAMPLES = ''' @@ -51,22 +51,26 @@ token: description: The access token aquired by logging in returned: When login was successful type: str +device_id: + description: The device ID assigned by the server + returned: When login was successful + type: str ''' import traceback +import asyncio from ansible.module_utils.basic import AnsibleModule, missing_required_lib MATRIX_IMP_ERR = None try: - from matrix_client.client import MatrixClient + from nio import AsyncClient except ImportError: MATRIX_IMP_ERR = traceback.format_exc() matrix_found = False else: matrix_found = True - -def run_module(): +async def run_module(): module_args = dict( hs_url=dict(type='str', required=True), user_id=dict(type='str', required=True), @@ -83,22 +87,28 @@ def run_module(): ) if not matrix_found: - module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + module.fail_json(msg=missing_required_lib('matrix-nio'), exception=MATRIX_IMP_ERR) if module.check_mode: return result - # create a client object - client = MatrixClient(module.params['hs_url']) - token = client.login(module.params['user_id'], module.params['password'], sync=False) + # Create client object + client = AsyncClient(module.params['hs_url'], module.params['user_id']) + # Log in + login_response = await client.login(module.params['password']) - result['token'] = token + # Store results + result['token'] = login_response.access_token + result['device_id'] = login_response.device_id + + # Close client sessions + await client.close() module.exit_json(**result) def main(): - run_module() + asyncio.run(run_module()) if __name__ == '__main__': diff --git a/matrix-logout.py b/matrix-logout.py index 241458d..d4ac3fe 100644 --- a/matrix-logout.py +++ b/matrix-logout.py @@ -3,7 +3,7 @@ # (c) 2018, Jan Christian Grünhage # (c) 2020, Famedly GmbH -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# GNU Affero General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/agpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type @@ -31,7 +31,7 @@ options: - Authentication token for the API call required: true requirements: - - matrix-client (Python library) + - matrix-nio (Python library) ''' EXAMPLES = ''' @@ -44,20 +44,20 @@ EXAMPLES = ''' RETURN = ''' ''' import traceback +import asyncio from ansible.module_utils.basic import AnsibleModule, missing_required_lib MATRIX_IMP_ERR = None try: - from matrix_client.client import MatrixClient + from nio import AsyncClient except ImportError: MATRIX_IMP_ERR = traceback.format_exc() matrix_found = False else: matrix_found = True - -def run_module(): +async def run_module(): module_args = dict( hs_url=dict(type='str', required=True), token=dict(type='str', required=True, no_log=True), @@ -73,23 +73,24 @@ def run_module(): ) if not matrix_found: - module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + module.fail_json(msg=missing_required_lib('matrix-nio'), exception=MATRIX_IMP_ERR) if module.check_mode: return result # create a client object - client = MatrixClient(module.params['hs_url']) - client.api.token = module.params['token'] - - client.logout() + client = AsyncClient(module.params['hs_url']) + client.access_token = module.params['access_token'] + # log out + await client.logout() + # close client sessions + await client.close() module.exit_json(**result) def main(): - run_module() - + asyncio.run(run_module()) if __name__ == '__main__': main() diff --git a/matrix.py b/matrix-notification.py similarity index 66% rename from matrix.py rename to matrix-notification.py index 658b9a6..edd3852 100644 --- a/matrix.py +++ b/matrix-notification.py @@ -2,7 +2,8 @@ # coding: utf-8 # (c) 2018, Jan Christian Grünhage -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# (c) 2020, Famedly GmbH +# GNU Affero General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/agpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type @@ -16,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix +module: matrix-notification short_description: Send notifications to matrix description: - This module sends html formatted notifications to matrix rooms. @@ -48,12 +49,12 @@ options: description: - The password to log in with requirements: - - matrix-client (Python library) + - matrix-nio (Python library) ''' EXAMPLES = ''' - name: Send matrix notification with token - matrix: + matrix-notification: msg_plain: "**hello world**" msg_html: "hello world" room_id: "!12345678:server.tld" @@ -61,7 +62,7 @@ EXAMPLES = ''' token: "{{ matrix_auth_token }}" - name: Send matrix notification with user_id and password - matrix: + matrix-notification: msg_plain: "**hello world**" msg_html: "hello world" room_id: "!12345678:server.tld" @@ -73,20 +74,30 @@ EXAMPLES = ''' RETURN = ''' ''' import traceback +import asyncio from ansible.module_utils.basic import AnsibleModule, missing_required_lib MATRIX_IMP_ERR = None try: - from matrix_client.client import MatrixClient + from nio import AsyncClient except ImportError: MATRIX_IMP_ERR = traceback.format_exc() matrix_found = False else: matrix_found = True +async def get_client_with_token(hs_url, token): + client = AsyncClient(hs_url) + client.access_token = token + return client -def run_module(): +async def get_client_with_password(hs_url, user, password): + client = AsyncClient(hs_url, user) + await client.login(password) + return client + +async def run_module(): module_args = dict( msg_plain=dict(type='str', required=True), msg_html=dict(type='str', required=True), @@ -98,7 +109,7 @@ def run_module(): ) result = dict( - changed=False, + changed=True, message='' ) @@ -111,28 +122,46 @@ def run_module(): ) if not matrix_found: - module.fail_json(msg=missing_required_lib('matrix-client'), exception=MATRIX_IMP_ERR) + module.fail_json(msg=missing_required_lib('matrix-nio'), exception=MATRIX_IMP_ERR) if module.check_mode: return result # create a client object - client = MatrixClient(module.params['hs_url']) if module.params['token'] is not None: - client.api.token = module.params['token'] + client = await get_client_with_token( + module.params['hs_url'], + module.params['token'] + ) else: - client.login(module.params['user_id'], module.params['password'], sync=False) + client = await get_client_with_password( + module.params['hs_url'], + module.params['user_id'], + module.params['password'] + ) - # make sure we are in a given room and return a room object for it - room = client.join_room(module.params['room_id']) - # send an html formatted messages - room.send_html(module.params['msg_html'], module.params['msg_plain']) + # send message + await client.room_send( + room_id=module.params['room_id'], + message_type="m.room.message", + content={ + "msgtype": "m.text", + "body": module.params['msg_plain'], + "format": "org.matrix.custom.html", + "formatted_body": module.params['msg_html'], + } + ) + + # when we did the login ourselves, invalidate the access token + if module.params['token'] is None: + await client.logout() + + await client.close() module.exit_json(**result) - def main(): - run_module() + asyncio.run(run_module()) if __name__ == '__main__': diff --git a/test-login-logout.sh b/test-login-logout.sh new file mode 100755 index 0000000..a4debf7 --- /dev/null +++ b/test-login-logout.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +source test-settings.sh + +login_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"user_id\": \"${USER_ID}\",\"password\": \"${PASSWORD}\"}}" | python matrix-login.py` + +echo $login_resp + +local_token=`echo $login_resp | jq --raw-output '.token'` + +echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${local_token}\"}}" | python matrix-logout.py diff --git a/test-notification.sh b/test-notification.sh new file mode 100755 index 0000000..3dc6c53 --- /dev/null +++ b/test-notification.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +source test-settings.sh + +notification_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"msg_plain\": \"**Hello, World!**\", \"msg_html\": \"Hello, World!\"}}" | python matrix-notification.py` + +echo $notification_resp diff --git a/test-settings.sample.sh b/test-settings.sample.sh new file mode 100644 index 0000000..566a015 --- /dev/null +++ b/test-settings.sample.sh @@ -0,0 +1,7 @@ +HS_URL= +USER_ID= +PASSWORD= +TOKEN= + +ROOM_ID= +ROOM_ALIAS= From ca3ef6f9537d2f3354cddfe7fa315282695c2b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 10 Feb 2020 18:25:13 +0100 Subject: [PATCH 129/167] add module for creating rooms --- matrix-room.py | 148 +++++++++++++++++++++++++++++++++++++++++++++++++ test-room.sh | 7 +++ 2 files changed, 155 insertions(+) create mode 100644 matrix-room.py create mode 100755 test-room.sh diff --git a/matrix-room.py b/matrix-room.py new file mode 100644 index 0000000..a762903 --- /dev/null +++ b/matrix-room.py @@ -0,0 +1,148 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2018, Jan Christian Grünhage +# (c) 2020, Famedly GmbH +# GNU Affero General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/agpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = ''' +--- +author: "Jan Christian Grünhage (@jcgruenhage)" +module: matrix-room +short_description: Join/Create matrix room +description: + - This module takes a room alias and makes sure that the user identified by the access token is in such a room. If that room does not exist, it is created, if it does exist but the user is not in it, it tries to join. If the alias is taken and the user can't join the room, the module will fail. Remote aliases are not supported for creating, but work for joining. +options: + alias: + description: + - Alias of the room to join/create + required: true + hs_url: + description: + - URL of the homeserver, where the CS-API is reachable + required: true + token: + description: + - Authentication token for the API call. +requirements: + - matrix-nio (Python library) +''' + +EXAMPLES = ''' +- name: Create notification room + matrix-room: + alias: "#ansible-notifications:matrix.org" + hs_url: "https://matrix.org" + token: "{{ matrix_auth_token }}" +''' + +RETURN = ''' +room_id: + description: ID of the room + type: str + sample: !asdfbuiarbk213e479asf:server.tld +''' +import traceback +import asyncio +import re +import sys + +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +MATRIX_IMP_ERR = None +try: + from nio import (AsyncClient, RoomResolveAliasResponse, JoinedRoomsError, RoomCreateResponse, JoinResponse) +except ImportError: + MATRIX_IMP_ERR = traceback.format_exc() + matrix_found = False +else: + matrix_found = True + +async def run_module(): + module_args = dict( + alias=dict(type='str', required=True), + hs_url=dict(type='str', required=True), + token=dict(type='str', required=True, no_log=True), + ) + + result = dict( + changed=False, + message='' + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) + + if not matrix_found: + module.fail_json(msg=missing_required_lib('matrix-nio'), exception=MATRIX_IMP_ERR) + + if module.check_mode: + return result + + # create a client object + client = AsyncClient(module.params['hs_url']) + client.access_token = module.params['token'] + + # Try to look up room_id + room_id_resp = await client.room_resolve_alias(module.params['alias']) + + failed = False + result = {} + + if isinstance(room_id_resp, RoomResolveAliasResponse): + # Check if already in room + rooms_resp = await client.joined_rooms() + if isinstance(rooms_resp, JoinedRoomsError): + failed = True + result = {"msg":"Couldn't get joined rooms."} + elif room_id_resp.room_id in rooms_resp.rooms: + result = {"room_id": room_id_resp.room_id, "changed": False} + else: + # Try to join room + join_resp = await client.join(module.params['alias']) + + # If successful, return, changed=true + if isinstance(join_resp, JoinResponse): + result = {"room_id": join_resp.room_id, "changed": True} + else: + failed = True + result = {"msg": "Room exists, but couldn't join: {1}".format(join_resp)} + else: + # Get local part of alias + local_part_regex = re.search("#([^:]*):(.*)", module.params['alias']) + local_part = local_part_regex.groups()[0] + + # Try to create room with alias + create_room_resp = await client.room_create(alias=local_part) + + # If successful, exit with changed=true and room_id + if isinstance(create_room_resp, RoomCreateResponse): + result = {"room_id": create_room_resp.room_id, "changed": True} + else: + json_resp = await create_room_resp.transport_response.json() + failed = True + result = {"msg": "Room does not exist but couldn't be created either: {0}".format(create_room_resp)} + + await client.close() + if failed: + module.fail_json(**result) + else: + module.exit_json(**result) + +def main(): + asyncio.run(run_module()) + + +if __name__ == '__main__': + main() diff --git a/test-room.sh b/test-room.sh new file mode 100755 index 0000000..7b36063 --- /dev/null +++ b/test-room.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +source test-settings.sh + +room_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${TOKEN}\",\"alias\": \"${ROOM_ALIAS}\"}}" | python matrix-room.py` + +echo $room_resp From f97f8cf56c7a10f27f90c47d61a334ba990bb8b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 01:28:16 +0100 Subject: [PATCH 130/167] add state module --- matrix-state.py | 172 ++++++++++++++++++++++++++++++++++++++++++++++++ test-state.sh | 7 ++ 2 files changed, 179 insertions(+) create mode 100644 matrix-state.py create mode 100755 test-state.sh diff --git a/matrix-state.py b/matrix-state.py new file mode 100644 index 0000000..05932a2 --- /dev/null +++ b/matrix-state.py @@ -0,0 +1,172 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2018, Jan Christian Grünhage +# (c) 2020, Famedly GmbH +# GNU Affero General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/agpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = ''' +--- +author: "Jan Christian Grünhage (@jcgruenhage)" +module: matrix +short_description: Set matrix room state +description: + - This module sets matrix room state idempotently +options: + event_type: + description: + - Event type of the state to be set + required: true + state_key: + description: + - State key for the state event to be set + required: true + content: + description: + - The content to set the state to + required: true + room_id: + description: + - ID of the room to set the state for + required: true + hs_url: + description: + - URL of the homeserver, where the CS-API is reachable + required: true + token: + description: + - Authentication token for the API call. + required: true +requirements: + - matrix-client (Python library) +''' + +EXAMPLES = ''' +- name: Set the server ACL for the admin room + matrix: + event_type: m.room.server_acl + state_key: "" + content: + allow: + - "*" + deny: + - "bad-server.one" + - "bad-server.two" + room_id: "!LAVFnosfDouvhA9VEhiuSV:matrix.org" + hs_url: "https://matrix.org" + token: "{{ matrix_auth_token }}" +''' + +RETURN = ''' +event_id: + description: + - ID of the created event + returned: changed + type: str + sample: $Het2Dv7EEDFNJNgY-ehLSUrdqMo8JOxZDCMnuQPSNfo +''' +import traceback +import asyncio + +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +MATRIX_IMP_ERR = None +try: + from nio import AsyncClient, RoomGetStateEventResponse, RoomPutStateResponse, JoinedRoomsError +except ImportError: + MATRIX_IMP_ERR = traceback.format_exc() + matrix_found = False +else: + matrix_found = True + + +async def run_module(): + module_args = dict( + event_type=dict(type='str', required=True), + state_key=dict(type='str', required=True), + content=dict(type='dict', required=True), + room_id=dict(type='str', required=True), + hs_url=dict(type='str', required=True), + token=dict(type='str', required=True, no_log=True), + ) + + result = dict( + changed=False, + message='' + ) + + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) + + if not matrix_found: + module.fail_json(msg=missing_required_lib('matrix-nio'), exception=MATRIX_IMP_ERR) + + if module.check_mode: + # TODO: Do proper check + return result + + # create a client object + client = AsyncClient(module.params['hs_url']) + client.access_token = module.params['token'] + + failed = False + result = {} + + # Check if already in room + rooms_resp = await client.joined_rooms() + if isinstance(rooms_resp, JoinedRoomsError): + failed = True + result = {"msg":"Couldn't get joined rooms."} + elif module.params['room_id'] not in rooms_resp.rooms: + failed = True + result = {"msg": "Not in the room you're trying to set state for."} + else: + # Fetch state from room + state_resp = await client.room_get_state_event( + module.params['room_id'], + module.params['event_type'], + module.params['state_key'] + ) + # If successful, compare with content from module and content is the same, return with changed=false and the ID of the old event + if isinstance(state_resp, RoomGetStateEventResponse) and state_resp.content == module.params['content']: + result = {"changed": False} + # Else, try to send a new state event + else: + send_resp = await client.room_put_state( + module.params['room_id'], + module.params['event_type'], + module.params['content'], + module.params['state_key'] + ) + # If successful, return with changed=true and the ID of the new event + if isinstance(send_resp, RoomPutStateResponse): + result = {"event_id": send_resp.room_id, "changed": True} + # Else, fail + else: + failed = True + result = {"msg": "Couldn't set state: {error}".format(error=send_resp)} + + await client.close() + + if failed: + module.fail_json(**result) + else: + module.exit_json(**result) + +def main(): + asyncio.run(run_module()) + + +if __name__ == '__main__': + main() diff --git a/test-state.sh b/test-state.sh new file mode 100755 index 0000000..08139b2 --- /dev/null +++ b/test-state.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +source test-settings.sh + +state_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"state_key\": \"\", \"event_type\": \"m.room.name\", \"content\": { \"name\": \"test room name\"}}}" | python matrix-state.py` + +echo $state_resp From abe098ae7c0edc0342e6cc6bf1e947fffc343bfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 02:24:05 +0100 Subject: [PATCH 131/167] fix logout --- matrix-logout.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/matrix-logout.py b/matrix-logout.py index d4ac3fe..08ac293 100644 --- a/matrix-logout.py +++ b/matrix-logout.py @@ -80,7 +80,7 @@ async def run_module(): # create a client object client = AsyncClient(module.params['hs_url']) - client.access_token = module.params['access_token'] + client.access_token = module.params['token'] # log out await client.logout() # close client sessions From fac5ef7f68827c35f95dc94d2d9a9234daf685af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 02:33:24 +0100 Subject: [PATCH 132/167] include example playbook in the README --- README.md | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fe1c363..85783ee 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,47 @@ To install these modules so that you can use them, put them into `~/.ansible/plu ## Usage -For usage examples, look at the doc comments included in the source files for the modules. +For a usage example including all modules, look at the example playbook below. +```yaml +- hosts: localhost + vars: + matrix: + homeserver: https://example.org + user: username + password: s3cr3t + alias: '#some-alias:example.org' + message: "Set room name in" + tasks: + - matrix-login: + hs_url: "{{ matrix.homeserver }}" + user_id: "{{ matrix.user }}" + password: "{{ matrix.password }}" + register: login_result + - matrix-room: + hs_url: "{{ matrix.homeserver }}" + token: "{{ login_result.token }}" + alias: "{{ matrix.alias }}" + register: room_result + - matrix-state: + hs_url: "{{ matrix.homeserver }}" + token: "{{ login_result.token }}" + room_id: "{{ room_result.room_id }}" + event_type: "m.room.name" + state_key: "" + content: + name: "test room name" + register: state_result + - matrix-notification: + hs_url: "{{ matrix.homeserver }}" + token: "{{ login_result.token }}" + room_id: "{{ room_result.room_id }}" + msg_plain: "{{ matrix.message }} {{ state_result.event_id}}" + msg_html: "{{ matrix.message }} {{ state_result.event_id}}" + when: state_result.changed + - matrix-logout: + hs_url: "{{ matrix.homeserver }}" + token: "{{ login_result.token }}" +``` ## Contributing Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. From 0b1aa650d805b4eb9054d5397540f8c5e1d01208 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 02:38:46 +0100 Subject: [PATCH 133/167] Explain requirements for these modules --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 85783ee..dce54e0 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,11 @@ This repo contains a few ansible modules for working with matrix rooms. To install these modules so that you can use them, put them into `~/.ansible/plugins/modules/` or for global installation, install them to `/usr/share/ansible/plugins/modules/`. +## Requirements + + - **nio:** The modules require matrix-nio to be required on the target. Some bugs and missing features were found during the development of these modules, which have been fixed in the case of bugs and implemented in the case of missing features. Until they are merged upstream, you have to install the matrix-nio library from source using https://github.com/poljar/matrix-nio/pull/102. + - **Python >= 3.5:** The modules make extensive use of async/await, so only Python 3.5 or later are supported. These modules have only been tested with Python 3.8 so far. + ## Usage For a usage example including all modules, look at the example playbook below. From b43403f4f00d7a6c22cd34eeb0b1bd439f97c78b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 14 Feb 2020 12:42:54 +0100 Subject: [PATCH 134/167] adhere to module naming conventions --- README.md | 10 +++++----- matrix-login.py => matrix_login.py | 4 ++-- matrix-logout.py => matrix_logout.py | 4 ++-- matrix-notification.py => matrix_notification.py | 8 ++++---- matrix-room.py => matrix_room.py | 4 ++-- matrix-state.py => matrix_state.py | 4 ++-- test-login-logout.sh | 4 ++-- test-notification.sh | 2 +- test-room.sh | 2 +- test-state.sh | 2 +- 10 files changed, 22 insertions(+), 22 deletions(-) rename matrix-login.py => matrix_login.py (98%) rename matrix-logout.py => matrix_logout.py (98%) rename matrix-notification.py => matrix_notification.py (97%) rename matrix-room.py => matrix_room.py (99%) rename matrix-state.py => matrix_state.py (99%) diff --git a/README.md b/README.md index dce54e0..ea37599 100644 --- a/README.md +++ b/README.md @@ -24,17 +24,17 @@ For a usage example including all modules, look at the example playbook below. alias: '#some-alias:example.org' message: "Set room name in" tasks: - - matrix-login: + - matrix_login: hs_url: "{{ matrix.homeserver }}" user_id: "{{ matrix.user }}" password: "{{ matrix.password }}" register: login_result - - matrix-room: + - matrix_room: hs_url: "{{ matrix.homeserver }}" token: "{{ login_result.token }}" alias: "{{ matrix.alias }}" register: room_result - - matrix-state: + - matrix_state: hs_url: "{{ matrix.homeserver }}" token: "{{ login_result.token }}" room_id: "{{ room_result.room_id }}" @@ -43,14 +43,14 @@ For a usage example including all modules, look at the example playbook below. content: name: "test room name" register: state_result - - matrix-notification: + - matrix_notification: hs_url: "{{ matrix.homeserver }}" token: "{{ login_result.token }}" room_id: "{{ room_result.room_id }}" msg_plain: "{{ matrix.message }} {{ state_result.event_id}}" msg_html: "{{ matrix.message }} {{ state_result.event_id}}" when: state_result.changed - - matrix-logout: + - matrix_logout: hs_url: "{{ matrix.homeserver }}" token: "{{ login_result.token }}" ``` diff --git a/matrix-login.py b/matrix_login.py similarity index 98% rename from matrix-login.py rename to matrix_login.py index 5bf254d..c17b519 100644 --- a/matrix-login.py +++ b/matrix_login.py @@ -17,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix-login +module: matrix_login short_description: Get a matrix access token description: - Log in to a matrix homeserver and get an access token back @@ -40,7 +40,7 @@ requirements: EXAMPLES = ''' - name: Log in to matrix - matrix: + matrix_login: hs_url: "https://matrix.org" user_id: "{{ matrix_auth_user }}" password: "{{ matrix_auth_password }}" diff --git a/matrix-logout.py b/matrix_logout.py similarity index 98% rename from matrix-logout.py rename to matrix_logout.py index 08ac293..952f776 100644 --- a/matrix-logout.py +++ b/matrix_logout.py @@ -17,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix +module: matrix_logout short_description: Log out of matrix description: - Invalidate an access token by logging out @@ -36,7 +36,7 @@ requirements: EXAMPLES = ''' - name: Invalidate access token - matrix: + matrix_logout: hs_url: "https://matrix.org" token: "{{ matrix_auth_token }}" ''' diff --git a/matrix-notification.py b/matrix_notification.py similarity index 97% rename from matrix-notification.py rename to matrix_notification.py index edd3852..98523c8 100644 --- a/matrix-notification.py +++ b/matrix_notification.py @@ -17,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix-notification +module: matrix_notification short_description: Send notifications to matrix description: - This module sends html formatted notifications to matrix rooms. @@ -54,7 +54,7 @@ requirements: EXAMPLES = ''' - name: Send matrix notification with token - matrix-notification: + matrix_notification: msg_plain: "**hello world**" msg_html: "hello world" room_id: "!12345678:server.tld" @@ -62,7 +62,7 @@ EXAMPLES = ''' token: "{{ matrix_auth_token }}" - name: Send matrix notification with user_id and password - matrix-notification: + matrix_notification: msg_plain: "**hello world**" msg_html: "hello world" room_id: "!12345678:server.tld" @@ -109,7 +109,7 @@ async def run_module(): ) result = dict( - changed=True, + changed=False, message='' ) diff --git a/matrix-room.py b/matrix_room.py similarity index 99% rename from matrix-room.py rename to matrix_room.py index a762903..96c288c 100644 --- a/matrix-room.py +++ b/matrix_room.py @@ -17,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix-room +module: matrix_room short_description: Join/Create matrix room description: - This module takes a room alias and makes sure that the user identified by the access token is in such a room. If that room does not exist, it is created, if it does exist but the user is not in it, it tries to join. If the alias is taken and the user can't join the room, the module will fail. Remote aliases are not supported for creating, but work for joining. @@ -39,7 +39,7 @@ requirements: EXAMPLES = ''' - name: Create notification room - matrix-room: + matrix_room: alias: "#ansible-notifications:matrix.org" hs_url: "https://matrix.org" token: "{{ matrix_auth_token }}" diff --git a/matrix-state.py b/matrix_state.py similarity index 99% rename from matrix-state.py rename to matrix_state.py index 05932a2..7a5bf89 100644 --- a/matrix-state.py +++ b/matrix_state.py @@ -17,7 +17,7 @@ ANSIBLE_METADATA = { DOCUMENTATION = ''' --- author: "Jan Christian Grünhage (@jcgruenhage)" -module: matrix +module: matrix_state short_description: Set matrix room state description: - This module sets matrix room state idempotently @@ -52,7 +52,7 @@ requirements: EXAMPLES = ''' - name: Set the server ACL for the admin room - matrix: + matrix_state: event_type: m.room.server_acl state_key: "" content: diff --git a/test-login-logout.sh b/test-login-logout.sh index a4debf7..5da743a 100755 --- a/test-login-logout.sh +++ b/test-login-logout.sh @@ -2,10 +2,10 @@ source test-settings.sh -login_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"user_id\": \"${USER_ID}\",\"password\": \"${PASSWORD}\"}}" | python matrix-login.py` +login_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"user_id\": \"${USER_ID}\",\"password\": \"${PASSWORD}\"}}" | python matrix_login.py` echo $login_resp local_token=`echo $login_resp | jq --raw-output '.token'` -echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${local_token}\"}}" | python matrix-logout.py +echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${local_token}\"}}" | python matrix_logout.py diff --git a/test-notification.sh b/test-notification.sh index 3dc6c53..7925ec1 100755 --- a/test-notification.sh +++ b/test-notification.sh @@ -2,6 +2,6 @@ source test-settings.sh -notification_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"msg_plain\": \"**Hello, World!**\", \"msg_html\": \"Hello, World!\"}}" | python matrix-notification.py` +notification_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"msg_plain\": \"**Hello, World!**\", \"msg_html\": \"Hello, World!\"}}" | python matrix_notification.py` echo $notification_resp diff --git a/test-room.sh b/test-room.sh index 7b36063..2c3d3b0 100755 --- a/test-room.sh +++ b/test-room.sh @@ -2,6 +2,6 @@ source test-settings.sh -room_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${TOKEN}\",\"alias\": \"${ROOM_ALIAS}\"}}" | python matrix-room.py` +room_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\",\"token\": \"${TOKEN}\",\"alias\": \"${ROOM_ALIAS}\"}}" | python matrix_room.py` echo $room_resp diff --git a/test-state.sh b/test-state.sh index 08139b2..5572971 100755 --- a/test-state.sh +++ b/test-state.sh @@ -2,6 +2,6 @@ source test-settings.sh -state_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"state_key\": \"\", \"event_type\": \"m.room.name\", \"content\": { \"name\": \"test room name\"}}}" | python matrix-state.py` +state_resp=` echo "{\"ANSIBLE_MODULE_ARGS\": {\"hs_url\": \"${HS_URL}\", \"token\": \"${TOKEN}\", \"room_id\": \"${ROOM_ID}\", \"state_key\": \"\", \"event_type\": \"m.room.name\", \"content\": { \"name\": \"test room name\"}}}" | python matrix_state.py` echo $state_resp From e967c824fdb08d3228e9100b8efcf9f9c2861fa1 Mon Sep 17 00:00:00 2001 From: Niklas Zender Date: Mon, 3 Feb 2020 08:25:21 +0000 Subject: [PATCH 135/167] Add CODEOWNERS --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..1fe7acf --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @jcgruenhage \ No newline at end of file From 23ce96e3851892258dc74f03f09bfbde365beb42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 17 Feb 2020 01:40:41 +0100 Subject: [PATCH 136/167] refactor config handling The config files are now written to the app dir, not the version subdir. They are still linked to the version subdir though. Additionally, the container volumes for the config files are autogenerated now --- defaults/main.yml | 6 +++++- tasks/main.yml | 24 +++++++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cb3a2d8..eb518c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,4 +36,8 @@ riot_domain_configs: [] riot_deployment_method: 'webroot' #alternative is 'docker' riot_docker_ports: [] riot_docker_labels: {} -riot_docker_volumes: {} +riot_docker_volumes: "{{ riot_docker_main_volumes + riot_docker_domain_volumes }}" +riot_docker_main_volumes: + - "{{ riot_webapp_dir }}/config.json:/app/config.json" +# This looks a bit crude, but what happens here is quite simple: First, we pull out the domain, then we match the whole string, and use it to construct the mount, then we make a list again. +riot_docker_domain_volumes: "{{ riot_domain_configs | map(attribute='domain') | map('regex_replace', '^(.*)$', riot_webapp_dir + '/config.\\1.json:/app/config.\\1.json') | list }}" diff --git a/tasks/main.yml b/tasks/main.yml index 9eb95ac..6077e53 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,22 +8,32 @@ import_tasks: download.yml when: riot_deployment_method == "webroot" -- name: Create riot directory for docker configs - file: - dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}" - state: directory - - name: Write main configuration copy: content: "{{ riot_config | to_nice_json }}" - dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.json" + dest: "{{ riot_webapp_dir }}/config.json" - name: Write domain specific configurations copy: content: "{{ item.config | to_nice_json }}" - dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.{{ item.domain }}.json" + dest: "{{ riot_webapp_dir }}/config.{{ item.domain }}.json" loop: "{{ riot_domain_configs }}" +- name: Link main configuration + file: + src: "{{ riot_webapp_dir }}/config.json" + dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.json" + state: link + when: riot_deployment_method == "webroot" + +- name: Link domain specific configurations + file: + src: "{{ riot_webapp_dir }}/config.{{ item.domain }}.json" + dest: "{{ riot_webapp_dir }}/riot-v{{ riot_version }}/config.{{ item.domain }}.json" + state: link + loop: "{{ riot_domain_configs }}" + when: riot_deployment_method == "webroot" + - name: Deploy docker container docker_container: name: "riot-web" From c78688b27eda411f20741fb113d37b1e6116a5c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 18 Feb 2020 17:07:52 +0100 Subject: [PATCH 137/167] update riot --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index eb518c0..2de1d3f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.8 +riot_version: 1.5.9 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 62d51184b278dade8e550f906b20b5a5ccdbbe92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 18 Feb 2020 17:09:35 +0100 Subject: [PATCH 138/167] bump version to 1.10.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0fcb37f..7312c66 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.8.0" +matrix_synapse_version: "v1.10.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 30 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From a1f9f29c053cfc40f662da3f69095fe8be4bb65f Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Fri, 10 Jan 2020 01:00:38 +0100 Subject: [PATCH 139/167] Reduce log retention period to 14 days --- README.md | 2 +- defaults/main.yml | 2 +- synapse | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 120000 synapse diff --git a/README.md b/README.md index a389e2e..8b43e50 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ The following should be present on the target system | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | | matrix_synapse_version | "v1.0.0" | -| matrix_synapse_log_days_keep | 30 | +| matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | | matrix_synapse_python_version | 3 | Default python version (2, 3) to be used | diff --git a/defaults/main.yml b/defaults/main.yml index 7312c66..40abeb2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,7 +9,7 @@ matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" matrix_synapse_version: "v1.10.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" -matrix_synapse_log_days_keep: 30 +matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} diff --git a/synapse b/synapse deleted file mode 120000 index 17c01eb..0000000 --- a/synapse +++ /dev/null @@ -1 +0,0 @@ -synapse \ No newline at end of file From 0b0dde7be8d0d222d029a44bdc4283fb7bf0bedd Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Mon, 13 Jan 2020 01:58:22 +0100 Subject: [PATCH 140/167] Use the log directory variable in the logrotate configuration --- templates/logrotate.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/logrotate.j2 b/templates/logrotate.j2 index c917561..ec5db9c 100644 --- a/templates/logrotate.j2 +++ b/templates/logrotate.j2 @@ -1,5 +1,5 @@ {{ ansible_managed | comment }} -/var/log/matrix_synapse/matrix_synapse.log { +{{ matrix_synapse_log_dir }}/matrix_synapse.log { daily rotate {{ matrix_synapse_log_days_keep }} compress From 15ff36eed6823c12c244abd85be45beaa7a850a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 21 Feb 2020 11:06:04 +0100 Subject: [PATCH 141/167] bump version to 1.11.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 40abeb2..f34725f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.10.1" +matrix_synapse_version: "v1.11.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 1e3ebe6c82b6f9041e392111698c670d6c566134 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Fri, 21 Feb 2020 17:57:44 +0100 Subject: [PATCH 142/167] bump version to 1.5.10 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2de1d3f..7bda0c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.9 +riot_version: 1.5.10 riot_webapp_dir: /opt/riot riot_config: brand: Riot From f58f601152c3b9792f7007930b12e8532b8a24b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 24 Feb 2020 09:30:30 +0100 Subject: [PATCH 143/167] specify a keyserver when fetching the pgp key this needs to be done to ensure we're not fetching the key from a server that doesn't server UIDs, like keys.openpgp.org does, because then the key fails to be imported correctly --- tasks/download.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/download.yml b/tasks/download.yml index 144d1a9..30be21d 100644 --- a/tasks/download.yml +++ b/tasks/download.yml @@ -27,6 +27,7 @@ gpg --no-default-keyring --homedir /tmp/gpg-tmp --keyring /tmp/gpg-tmp/riot-key + --keyserver hkps://keyserver.ubuntu.com --recv-keys 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9 register: get_riot_gpg_key until: get_riot_gpg_key.rc == 0 From 060109afd94c252b3438e8c08a90433333afc328 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 3 Mar 2020 00:17:51 +0100 Subject: [PATCH 144/167] bump version to 1.5.11 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7bda0c8..51ceb8d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.10 +riot_version: 1.5.11 riot_webapp_dir: /opt/riot riot_config: brand: Riot From b0a5ffa72a0f2a28f4c773f23209a41837f2c17e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 3 Mar 2020 00:20:54 +0100 Subject: [PATCH 145/167] remove version variable from the README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index cbd2be0..e1a92be 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,6 @@ __None__ | Name | Value | Description | | :--- | :--- | :--- | -| riot_version | 1.3.3 | the riot version to be deployed | | riot_webapp_dir | /opt/riot/ | location to upack the application | | riot_config | __See (defaults)[defaults/main.yml] | Dictionary containing the webapp configuration see (riot documentation)[https://github.com/vector-im/riot-web#configjson] for details From 07f609a4d2bfd09cb56e4fe61dda1f75ce08ca3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 16 Mar 2020 14:46:59 +0100 Subject: [PATCH 146/167] bump version to 1.5.12 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 51ceb8d..23f1ac4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.11 +riot_version: 1.5.12 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 0989485745674ab25fe7c81b02c5f39c169316af Mon Sep 17 00:00:00 2001 From: Jan Christian Gr??nhage Date: Sun, 22 Mar 2020 21:16:23 +0100 Subject: [PATCH 147/167] bump version to 1.11.1 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f34725f..ec67c6f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.11.0" +matrix_synapse_version: "v1.11.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From aa6d4552b2d44ba7550d4af61e73e48df87ec468 Mon Sep 17 00:00:00 2001 From: Jan Christian Gr??nhage Date: Wed, 25 Mar 2020 11:18:30 +0100 Subject: [PATCH 148/167] bump version to 1.5.13 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 23f1ac4..aba0017 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.12 +riot_version: 1.5.13 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 55b2fa451312c6541ab6c0d28fbdefb95afece1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 31 Mar 2020 00:53:14 +0200 Subject: [PATCH 149/167] bump version to 1.5.14 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index aba0017..4ceb048 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.13 +riot_version: 1.5.14 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 490ef389040bb05899e63c8693d4a647ae8fb628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 31 Mar 2020 00:56:12 +0200 Subject: [PATCH 150/167] bump version to 1.12.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ec67c6f..e078516 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.11.1" +matrix_synapse_version: "v1.12.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 222ce880805e06876e49a1e6365927264782c597 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 1 Apr 2020 22:37:57 +0200 Subject: [PATCH 151/167] bump version to 1.5.15 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4ceb048..1294931 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.14 +riot_version: 1.5.15 riot_webapp_dir: /opt/riot riot_config: brand: Riot From ff01075f548f3694bca55427f782e10a36859b23 Mon Sep 17 00:00:00 2001 From: Jan Christian Gr??nhage Date: Sat, 4 Apr 2020 15:59:27 +0200 Subject: [PATCH 152/167] bump version to 1.12.3 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8b43e50..0933c1d 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.0.0" | +| matrix_synapse_version | "v1.12.3" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index e078516..40c6db7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.12.0" +matrix_synapse_version: "v1.12.3" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 739c8e03d2032daf0c0f7cf2f224edb422ab7cf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 28 Apr 2020 11:24:49 +0200 Subject: [PATCH 153/167] bump version to 1.12.4 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0933c1d..0e3a13a 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.12.3" | +| matrix_synapse_version | "v1.12.4" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 40c6db7..162c447 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.12.3" +matrix_synapse_version: "v1.12.4" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 49a0a22af45b26d3fc6680cf46aff4661d3328c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 6 May 2020 09:48:52 +0200 Subject: [PATCH 154/167] bump version to 1.6.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1294931..450e1a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.5.15 +riot_version: 1.6.0 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 41500029f5224ae66d55135c89dde54bc49184f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 27 May 2020 18:27:06 +0200 Subject: [PATCH 155/167] bump version to 1.6.2 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 450e1a5..9a8ec39 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.6.0 +riot_version: 1.6.2 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 676f02c75755ab5c484006c88f16dc5fa984d35f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 27 May 2020 18:34:31 +0200 Subject: [PATCH 156/167] bump version to 1.13.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0e3a13a..a226891 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.12.4" | +| matrix_synapse_version | "v1.13.0" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 162c447..e95ca13 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.12.4" +matrix_synapse_version: "v1.13.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 80858f17600ab1054d113c1701cb0c8078632db8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 27 May 2020 18:35:20 +0200 Subject: [PATCH 157/167] pull out container name into a variable --- defaults/main.yml | 1 + handlers/main.yml | 2 +- tasks/deployment.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e95ca13..9555c19 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,3 +15,4 @@ matrix_synapse_docker_ports: ["8008:8008", "8448:8448"] matrix_synapse_docker_labels: {} matrix_synapse_extra_docker_volumes: [] matrix_synapse_container_ref: "docker.io/matrixdotorg/synapse" +matrix_synapse_container_name: "synapse" diff --git a/handlers/main.yml b/handlers/main.yml index 937962a..0c28982 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,7 +13,7 @@ - name: "restart synapse using docker" docker_container: - name: synapse + name: "{{ matrix_synapse_container_name }}" state: started restart: yes when: matrix_synapse_supervision_method == "docker" diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 87c100f..1919eae 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -55,7 +55,7 @@ - name: install synapse with docker docker_container: - name: synapse + name: "{{ matrix_synapse_container_name }}" image: "{{ matrix_synapse_container_ref }}:{{ matrix_synapse_version }}" ports: "{{ matrix_synapse_docker_ports }}" labels: "{{ matrix_synapse_docker_labels }}" From ce1aeb7a7f08b210879f127b1c8f29e9c3a18078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Thu, 28 May 2020 12:53:45 +0200 Subject: [PATCH 158/167] bump version to 1.14.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a226891..961dbdb 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.13.0" | +| matrix_synapse_version | "v1.14.0" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 9555c19..bff55d5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.13.0" +matrix_synapse_version: "v1.14.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From ad08aa237d397228e3419d00ada3d2e1aabb3ac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Thu, 11 Jun 2020 15:11:22 +0200 Subject: [PATCH 159/167] bump version to 1.15.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 961dbdb..f623fab 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.14.0" | +| matrix_synapse_version | "v1.15.0" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index bff55d5..9348261 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.14.0" +matrix_synapse_version: "v1.15.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 26675b73e708a739a3beb69aece8cf5d9a8b4895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Tue, 16 Jun 2020 12:03:40 +0200 Subject: [PATCH 160/167] bump version to 1.15.1 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f623fab..12082e6 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.15.0" | +| matrix_synapse_version | "v1.15.1" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 9348261..74d2ad7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.15.0" +matrix_synapse_version: "v1.15.1" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From cc715b2f140c6342ec5e1e3f7ba2720517646b14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 4 Jul 2020 11:13:44 +0200 Subject: [PATCH 161/167] bump version to 1.15.2 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 12082e6..e4d4311 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.15.1" | +| matrix_synapse_version | "v1.15.2" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 74d2ad7..8155595 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.15.1" +matrix_synapse_version: "v1.15.2" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 08bd3c040c8597c1a34c734d9dd235b384c97b14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Sat, 4 Jul 2020 11:15:06 +0200 Subject: [PATCH 162/167] bump version to 1.6.8 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9a8ec39..93b2fb2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.6.2 +riot_version: 1.6.8 riot_webapp_dir: /opt/riot riot_config: brand: Riot From 23e04a1acafe449cd44ad415c4d39e89c5043a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 8 Jul 2020 12:47:59 +0200 Subject: [PATCH 163/167] bump version to 1.16.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e4d4311..5423378 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.15.2" | +| matrix_synapse_version | "v1.16.0" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index 8155595..f7f2455 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.15.2" +matrix_synapse_version: "v1.16.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From fcd808ff4e36d8e6df2efe551fe1718415c65da7 Mon Sep 17 00:00:00 2001 From: Vincent Wilke Date: Mon, 22 Jun 2020 20:35:26 +0200 Subject: [PATCH 164/167] Add container label with synapse version --- tasks/deployment.yml | 2 +- vars/main.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/deployment.yml b/tasks/deployment.yml index 1919eae..e2ebec1 100644 --- a/tasks/deployment.yml +++ b/tasks/deployment.yml @@ -58,7 +58,7 @@ name: "{{ matrix_synapse_container_name }}" image: "{{ matrix_synapse_container_ref }}:{{ matrix_synapse_version }}" ports: "{{ matrix_synapse_docker_ports }}" - labels: "{{ matrix_synapse_docker_labels }}" + labels: "{{ matrix_synapse_docker_labels_complete }}" restart_policy: unless-stopped recreate: true pull: true diff --git a/vars/main.yml b/vars/main.yml index 40eaf5b..04a66a3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -146,3 +146,6 @@ matrix_synapse_base_config: - user_id: "*" alias: "*" action: allow +matrix_synapse_docker_labels_complete: "{{ matrix_synapse_docker_labels_base | combine(matrix_synapse_docker_labels) }}" +matrix_synapse_docker_labels_base: + version: "{{ matrix_synapse_version }}" From 3776705b2661648f37ca86889e467aca7c90a21f Mon Sep 17 00:00:00 2001 From: Vincent Wilke Date: Mon, 22 Jun 2020 21:38:35 +0200 Subject: [PATCH 165/167] Add container label with riot version --- tasks/main.yml | 2 +- vars/main.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6077e53..ee0ef1f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,7 +39,7 @@ name: "riot-web" image: "docker.io/vectorim/riot-web:v{{ riot_version }}" ports: "{{ riot_docker_ports }}" - labels: "{{ riot_docker_labels }}" + labels: "{{ riot_docker_labels_complete }}" restart_policy: unless-stopped volumes: "{{ riot_docker_volumes }}" when: riot_deployment_method == "docker" diff --git a/vars/main.yml b/vars/main.yml index 4abe14c..a877f77 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,4 @@ --- -# vars file for ansible-riot-webapp +riot_docker_labels_complete: "{{ riot_docker_labels_base | combine(riot_docker_labels) }}" +riot_docker_labels_base: + version: "{{ riot_version }}" From 5fd74bc5def23af51cd64dcf5d5c884e05a55501 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 13 Jul 2020 12:58:56 +0200 Subject: [PATCH 166/167] bump version to 1.17.0 --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5423378..81b793b 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following should be present on the target system | matrix_synapse_dh_path | "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" | | matrix_synapse_baseurl | "https://{{ matrix_server_name }}" | | matrix_synapse_signing_key_path | "{{ matrix_synapse_base_path }}/ssl/{{ matrix_server_name }}.signing.key" | -| matrix_synapse_version | "v1.16.0" | +| matrix_synapse_version | "v1.17.0" | | matrix_synapse_log_days_keep | 14 | | matrix_synapse_deployment_method | pip | Either pip or docker [¹](#footnote_1) | | matrix_synapse_supervision_method | systemd | Either systemd, runit or docker [¹](#footnote_1) | diff --git a/defaults/main.yml b/defaults/main.yml index f7f2455..9cedfc6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_secrets_path: "{{ matrix_synapse_base_path }}/secrets" matrix_synapse_dh_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.dh" matrix_synapse_baseurl: "https://{{ matrix_server_name }}" matrix_synapse_signing_key_path: "{{ matrix_synapse_base_path }}/tls/{{ matrix_server_name }}.signing.key" -matrix_synapse_version: "v1.16.0" +matrix_synapse_version: "v1.17.0" matrix_synapse_log_dir: "/var/log/matrix_synapse" matrix_synapse_log_days_keep: 14 matrix_synapse_pid_file: "{{ matrix_synapse_base_path }}/synapse.pid" From 18ad524c0c21cf7f601aebb8fe93b2730d0e8bea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Wed, 15 Jul 2020 13:35:21 +0200 Subject: [PATCH 167/167] bump version to 1.7.0 --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 93b2fb2..ab859b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -riot_version: 1.6.8 +riot_version: 1.7.0 riot_webapp_dir: /opt/riot riot_config: brand: Riot