diff --git a/README.md b/README.md index e69de29..c568754 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,3 @@ +Example BLSE2 Ansible Roles + +This is a collection of Ansible roles from the Boniface Labs Server Environment, version 2, in a santized public form. It is useful as a reference for Ansible and on how to configure these services. Note that many roles may rely on BLSE-specific variables set in group_vars, which are not included here. diff --git a/package-riot/handlers/main.yml b/package-riot/handlers/main.yml new file mode 100644 index 0000000..3fb11db --- /dev/null +++ b/package-riot/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: restart matrix-synapse + service: + name: matrix-synapse + state: restarted + +- name: restart mxisd + service: + name: mxisd + state: restarted + +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/package-riot/tasks/main.yml b/package-riot/tasks/main.yml new file mode 100644 index 0000000..5f3f683 --- /dev/null +++ b/package-riot/tasks/main.yml @@ -0,0 +1,122 @@ +--- +- name: install matrix packages + apt: + pkg: + - matrix-synapse + - matrix-synapse-ldap3 + - python3-psycopg2 + - python3-jinja2 + - python3-bleach + - openjdk-8-jre-headless + - mxisd + state: latest + +- name: install the rest auth provider + get_url: + url: "https://raw.githubusercontent.com/kamax-matrix/matrix-synapse-rest-auth/master/rest_auth_provider.py" + dest: "/usr/lib/python3/dist-packages/rest_auth_provider.py" + +- name: ensure services are started and enabled + service: + name: "{{ item }}" + state: started + enabled: yes + with_items: + - matrix-synapse + - mxisd + +- name: install matrix-synapse configurations + template: + src: "{{ item.src }}.j2" + dest: "{{ item.dest }}" + owner: matrix-synapse + group: adm + mode: 0640 + notify: restart matrix-synapse + with_items: + - { src: "matrix-homeserver.yaml", dest: "/etc/matrix-synapse/homeserver.yaml" } + - { src: "matrix-server_name.yaml", dest: "/etc/matrix-synapse/conf.d/server_name.yaml" } + - { src: "matrix-report_stats.yaml", dest: "/etc/matrix-synapse/conf.d/report_stats.yaml" } + - { src: "matrix-homeserver.signing.key", dest: "/etc/matrix-synapse/homeserver.signing.key" } + +- name: install mxisd configurations + template: + src: "{{ item.src }}.j2" + dest: "{{ item.dest }}" + owner: mxisd + group: adm + mode: 0640 + notify: restart mxisd + with_items: + - { src: "mxisd.yaml", dest: "/etc/mxisd/mxisd.yaml" } + +- name: link the res folder to the right place + file: + src: "/usr/lib/python3/dist-packages/synapse/res" + dest: "/var/lib/matrix-synapse/res" + state: link + +- name: create matrix data directories + file: + dest: "/srv/matrix/{{ item }}" + state: directory + owner: matrix-synapse + group: sudo + mode: 0750 + with_items: + - media + - uploads + +- name: install nginx packages + apt: + pkg: + - nginx + state: latest + +- name: ensure services are started and enabled + service: + name: "{{ item }}" + state: started + enabled: yes + with_items: + - nginx + +- name: disable default nginx configuration + file: + dest: "/etc/nginx/sites-enabled/default" + state: "absent" + +- name: install nginx configuration + template: + src: "riot-nginx.j2" + dest: "/etc/nginx/sites-enabled/riot" + notify: restart nginx + +- name: download riot + get_url: + url: "https://github.com/vector-im/riot-web/releases/download/{{ riot_version }}/riot-{{ riot_version }}.tar.gz" + dest: "/var/www/riot.tar.gz" + +- name: extract riot + unarchive: + src: "/var/www/riot.tar.gz" + dest: "/var/www" + owner: www-data + group: www-data + copy: no + creates: "/var/www/riot-{{ riot_version }}" + +- name: create versionless riot symlink + file: + src: "/var/www/riot-{{ riot_version }}" + dest: "/var/www/riot" + state: link + +- name: install riot configuration + template: + src: "riot-config.json.j2" + dest: "/var/www/riot/config.json" + owner: www-data + group: www-data + notify: restart nginx + diff --git a/package-riot/templates/matrix-homeserver.signing.key.j2 b/package-riot/templates/matrix-homeserver.signing.key.j2 new file mode 100644 index 0000000..05ff090 --- /dev/null +++ b/package-riot/templates/matrix-homeserver.signing.key.j2 @@ -0,0 +1 @@ +{{ matrix_homeserver_signing_key }} diff --git a/package-riot/templates/matrix-homeserver.yaml.j2 b/package-riot/templates/matrix-homeserver.yaml.j2 new file mode 100644 index 0000000..fcc0b05 --- /dev/null +++ b/package-riot/templates/matrix-homeserver.yaml.j2 @@ -0,0 +1,123 @@ +--- +# Matrix homeserver configuration +# {{ ansible_managed }} +no_tls: True +tls_fingerprints: [] +pid_file: "/var/run/matrix-synapse.pid" +soft_file_limit: 0 +public_baseurl: "https://im.bonifacelabs.ca" +listeners: + - port: 8008 + tls: false + bind_addresses: + - '::' + type: http + x_forwarded: true + resources: + - names: [client, webclient] + compress: true + - names: [federation] + compress: false +database: + name: psycopg2 + args: + user: "{{ postgres_client['matrix'].username }}" + password: "{{ postgres_client['matrix'].passwd }}" + database: "{{ postgres_client['matrix'].database }}" + host: "{{ postgres_client['matrix'].host }}" + port: "{{ postgres_client['matrix'].port_readwrite }}" + cp_min: 5 + cp_max: 10 +event_cache_size: "10K" +log_config: "/etc/matrix-synapse/log.yaml" +rc_messages_per_second: 2.0 +rc_message_burst_count: 10.0 +federation_rc_window_size: 1000 +federation_rc_sleep_limit: 10 +federation_rc_sleep_delay: 500 +federation_rc_reject_limit: 50 +federation_rc_concurrent: 3 +media_store_path: "/srv/matrix/media" +uploads_path: "/srv/matrix/uploads" +max_upload_size: "10M" +max_image_pixels: "32M" +dynamic_thumbnails: false +thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 320 + height: 240 + method: scale + - width: 640 + height: 480 + method: scale + - width: 800 + height: 600 + method: scale +url_preview_enabled: False +max_spider_size: "10M" +enable_registration_captcha: False +enable_registration: False +bcrypt_rounds: 12 +allow_guest_access: False +trusted_third_party_id_servers: + - "im.{{ blsedomains_webdomain }}" +auto_join_rooms: + - "#hallway:{{ blsedomains_webdomain }}" + - "#fun:{{ blsedomains_webdomain }}" + - "#games:{{ blsedomains_webdomain }}" +enable_metrics: False +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" +app_service_config_files: [] +expire_access_token: False +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" +old_signing_keys: {} +key_refresh_interval: "1d" # 1 Day. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "{{ matrixorg_verify_key }}" +password_config: + enabled: true +email: + enable_notifs: true + smtp_host: "{{ blsecluster_smtphost }}" + smtp_port: 587 + smtp_user: "{{ username_email_root }}" + smtp_pass: "{{ passwd_email_root }}" + require_transport_security: True + notif_from: "The BLSE Matrix Server " + app_name: Matrix + template_dir: res/templates + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + notif_for_new_users: True + riot_base_url: "https://riot.bonifacelabs.ca" +password_providers: + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: "http://localhost:8090" +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://{{ blsecluster_ldaphost }}:389" +# start_tls: false +# base: "{{ ldap_basedn }}" +# attributes: +# uid: "uid" +# mail: "mail" +# name: "cn" +# bind_dn: "{{ username_ldap_admin }}" +# bind_password: "{{ passwd_ldap_admin }}" +# filter: "(&(objectClass=mailUser)(accountStatus=active))" +enable_group_creation: false diff --git a/package-riot/templates/matrix-report_stats.yaml.j2 b/package-riot/templates/matrix-report_stats.yaml.j2 new file mode 100644 index 0000000..887c1c1 --- /dev/null +++ b/package-riot/templates/matrix-report_stats.yaml.j2 @@ -0,0 +1,4 @@ +--- +# Matrix report_stats configuration +# {{ ansible_managed }} +report_stats: false diff --git a/package-riot/templates/matrix-server_name.yaml.j2 b/package-riot/templates/matrix-server_name.yaml.j2 new file mode 100644 index 0000000..19aad71 --- /dev/null +++ b/package-riot/templates/matrix-server_name.yaml.j2 @@ -0,0 +1,4 @@ +--- +# Matrix server_name configuration +# {{ ansible_managed }} +server_name: "{{ blsedomains_webdomain }}" diff --git a/package-riot/templates/mxisd.yaml.j2 b/package-riot/templates/mxisd.yaml.j2 new file mode 100644 index 0000000..8a43f27 --- /dev/null +++ b/package-riot/templates/mxisd.yaml.j2 @@ -0,0 +1,47 @@ +--- +# mxisd configuration file +# {{ ansible_managed }} +matrix: + domain: "im.{{ blsedomains_webdomain }}" +key: + path: '/var/lib/mxisd/keys' +storage: + provider: + sqlite: + database: '/var/lib/mxisd/store.db' +ldap: + enabled: true + connection: + host: "{{ blsecluster_ldaphost }}" + port: 389 + bindDn: "{{ username_ldap_admin }}" + bindPassword: "{{ passwd_ldap_admin }}" + baseDNs: + - "{{ ldap_basedn }}" + filter: "(&(objectClass=mailUser)(accountStatus=active))" + attribute: + uid: + type: "uid" + value: "uid" + name: "cn" + threepid: + email: + - "mail" +threepid: + medium: + email: + identity: + from: "matrix@{{ blsedomains_webdomain }}" + connectors: + smtp: + host: "{{ blsecluster_smtphost }}" + port: 587 + tls: 1 + login: "{{ username_email_root }}" + password: "{{ passwd_email_root }}" +dns: + overwrite: + homeserver: + client: + - name: 'im.{{ blsedomains_webdomain }}' + value: 'http://localhost:8008' diff --git a/package-riot/templates/riot-config.json.j2 b/package-riot/templates/riot-config.json.j2 new file mode 100644 index 0000000..049ae41 --- /dev/null +++ b/package-riot/templates/riot-config.json.j2 @@ -0,0 +1,37 @@ +{ + "default_hs_url": "https://im.{{ blsedomains_webdomain }}", + "default_is_url": "https://im.{{ blsedomains_webdomain }}", + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Riot", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "features": { + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "default_theme": "light", + "roomDirectory": { + "servers": [ + "{{ blsedomains_webdomain }}", + "im.{{ blsedomains_webdomain }}" + ] + }, + "welcomeUserId": "@riot-bot:matrix.org", + "piwik": { + "url": "https://piwik.riot.im/", + "whitelistedHSUrls": ["https://{{ blsedomains_webdomain }}", "https://im.{{ blsedomains_webdomain }}", "https://matrix.org"], + "whitelistedISUrls": ["https://{{ blsedomains_webdomain }}", "https://im.{{ blsedomains_webdomain }}", "https://vector.im", "https://matrix.org"], + "siteId": 1 + }, + "enable_presence_by_hs_url": { + "https://{{ blsedomains_webdomain }}": true, + "https://im.{{ blsedomains_webdomain }}": true, + "https://matrix.org": true + } +} diff --git a/package-riot/templates/riot-nginx.j2 b/package-riot/templates/riot-nginx.j2 new file mode 100644 index 0000000..efb05c9 --- /dev/null +++ b/package-riot/templates/riot-nginx.j2 @@ -0,0 +1,16 @@ +# Simple and straightforward web server for Riot +# {{ ansible_managed }} +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/riot; + + index index.html; + + server_name _; + + location / { + try_files $uri $uri/ =404; + } +}