LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/matrix-synapse: upgrade, postgres, ... 

- User last official deb package from matrix.org

- Revised LDAP integration:
  * ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
  * Bind a protected service account with a service password and
    start-tls

- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}

- Sqlite -> Postgres

New variables:

- matrix_domain | default($domain)
python3
Zolfa 5 years ago
parent
392eddeca8
commit
c6af4ff871
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
6 changed files with 1765 additions and 282 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -1
      roles/matrix-synapse/defaults/main.yaml
  2. +22
    -0
      roles/matrix-synapse/files/ldap.conf
  3. +0
    -1
      roles/matrix-synapse/meta/main.yaml
  4. +104
    -30
      roles/matrix-synapse/tasks/main.yaml
  5. +1633
    -250
      roles/matrix-synapse/templates/homeserver.yaml.j2
  6. +1
    -0
      roles/matrix-synapse/templates/synapse.conf.j2

+ 5
- 1
roles/matrix-synapse/defaults/main.yaml View File

@ -1,4 +1,8 @@
---
server_fqdn: "matrix.lilik.it"
server_fqdn: '{{ ansible_hostname }}.{{ domain }}'
proxy_location_path: "_matrix"
remote_host: "http://127.0.0.1:8008/_matrix"
matrix_domain: '{{ domain }}'
ldap_server: 'ldap1.dmz.{{ domain }}'
ldap_domain: '{{ domain }}'
ldap_basedn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'

+ 22
- 0
roles/matrix-synapse/files/ldap.conf View File

@ -0,0 +1,22 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/root_ca.crt
#TLS_CERT /etc/ldap/ldap.crt
#TLS_KEY /etc/ldap/ldap.key
# TLSv1.3 Only
TLS_CIPHER_SUITE SECURE:-VERS-ALL:+VERS-TLS1.3

+ 0
- 1
roles/matrix-synapse/meta/main.yaml View File

@ -1,4 +1,3 @@
---
dependencies:
- role: nginx
server_fqdn: "matrix.lilik.it"

+ 104
- 30
roles/matrix-synapse/tasks/main.yaml View File

@ -1,40 +1,114 @@
---
- name: set synapse server name
- name: 'install gnupg and ca-cert'
apt:
pkg:
- 'gnupg'
- 'ca-certificates'
tags:
- 'packages'
- name: 'add matrix gnupg key to apt'
apt_key:
id: 'AAF9AE843A7584B5A3E4CD2BCF45A512DE2DA058'
url: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg'
state: 'present'
tags:
- 'packages'
- name: 'add matrix apt repos'
apt_repository:
repo: '{{ item }}'
state: 'present'
loop:
- 'deb https://packages.matrix.org/debian/ buster main'
- 'deb-src https://packages.matrix.org/debian/ buster main'
tags:
- 'packages'
- name: 'set synapse server name'
debconf:
name: 'matrix-synapse'
name: 'matrix-synapse-py3'
question: 'matrix-synapse/server-name'
vtype: 'string'
value: '{{ ansible_hostname }}'
value: '{{ matrix_domain }}'
- name: install synapse
include_role:
name: service
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
- name: 'install synapse'
include_role: name='service'
vars:
service_name: matrix-synapse
service_name: 'matrix-synapse'
service_packages:
- matrix-synapse
- name: fix synapse folders permissions
file:
path: "{{ item }}"
owner: matrix-synapse
group: nogroup
mode: 0750
state: directory
with_items:
- /etc/matrix-synapse
- /etc/matrix-synapse/conf.d
- name: upload synapse reverse proxy conf
- 'matrix-synapse-py3'
- 'postgresql'
- 'postgresql-contrib'
- 'python3-psycopg2'
- block:
- name: 'create synapse DB'
postgresql_db:
name: 'synapse'
encoding: 'UTF-8'
lc_collate: 'C'
lc_ctype: 'C'
template: 'template0'
- name: 'create synapse DB user'
postgresql_user:
name: 'matrix-synapse'
db: 'synapse'
priv: 'ALL'
become: true
become_method: 'su'
become_user: 'postgres'
#- name: fix synapse folders permissions
# file:
# path: "{{ item }}"
# owner: matrix-synapse
# group: nogroup
# mode: 0750
# state: directory
# with_items:
# - /etc/matrix-synapse
# - /etc/matrix-synapse/conf.d
- name: 'upload synapse reverse proxy conf'
template:
src: synapse.conf
dest: "/etc/nginx/locations/{{ server_fqdn }}/synapse.conf"
notify:
- restart nginx
src: 'synapse.conf.j2'
dest: '/etc/nginx/locations/{{ server_fqdn }}/synapse.conf'
notify: 'restart nginx'
- name: 'generate matrix ldap password'
gen_passwd: 'length=32'
register: 'new_passwd'
tags:
- 'service_password'
- name: 'set matrix ldap password in ldap'
delegate_to: 'localhost'
ldap_passwd:
dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}'
passwd: '{{ new_passwd.passwd }}'
server_uri: 'ldap://{{ ldap_server }}'
start_tls: true
bind_dn: '{{ ldap_admin_dn }}'
bind_pw: '{{ ldap_admin_pw }}'
tags:
- 'service_password'
- name: 'update tls ca'
copy:
content: '{{ tls_root_ca }}'
dest: '/etc/ldap/root_ca.crt'
- name: 'configure ldap client'
copy:
src: 'ldap.conf'
dest: '/etc/ldap/ldap.conf'
- name: upload synapse conf
- name: 'upload synapse conf'
template:
src: homeserver.yaml.j2
dest: /etc/matrix-synapse/homeserver.yaml
notify: "restart matrix-synapse"
src: 'homeserver.yaml.j2'
dest: '/etc/matrix-synapse/homeserver.yaml'
notify: 'reload matrix-synapse'
tags:
- 'service_password'

+ 1633
- 250
roles/matrix-synapse/templates/homeserver.yaml.j2
File diff suppressed because it is too large
View File


+ 1
- 0
roles/matrix-synapse/templates/synapse.conf.j2 View File

@ -0,0 +1 @@
{% extends "roles/nginx/templates/service.conf" %}

Write Preview
Loading…
Cancel
Save