diff --git a/group_vars/all.yml b/group_vars/all.yml index 18f5a1a..a252c1f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -142,6 +142,23 @@ mumble_server_password: "passw0rd" mumble_superuser_password: "13qeadZC" mumble_max_users: "100" +# Matrix Synapse +matrix_base_dir: "/mnt/matrix" +matrix_data_dir: "{{ matrix_base_dir }}/data" +matrix_config_dir: "{{ matrix_base_dir }}/config" +matrix_media_dir: "{{ matrix_base_dir }}/media" +matrix_postgres_dir: "{{ matrix_base_dir }}/postgres" +matrix_port: "45132" +matrix_domain: "matrix.zailon.ru" +matrix_server_name: "{{ matrix_domain }}" +matrix_registration_enabled: false +matrix_report_stats: false +matrix_admin_user: "@admin:{{ matrix_domain }}" +matrix_postgres_password: "{{ vault_matrix_postgres_password }}" +matrix_synapse_secret: "{{ vault_matrix_synapse_secret }}" +matrix_macaroon_secret: "{{ vault_matrix_macaroon_secret }}" +matrix_form_secret: "{{ vault_matrix_form_secret }}" + # ------------192.168.1.208 manage------------ # MeshCentral diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml new file mode 100644 index 0000000..217ae81 --- /dev/null +++ b/group_vars/all/vault.yml @@ -0,0 +1,5 @@ +vault_matrix_postgres_password: "your_secure_postgres_password_here" +vault_matrix_synapse_secret: "f9e5c2071a178dd8260c7a07b8e133417ff0d7c5d5ca12efdb215d56e19f05f4" +vault_matrix_macaroon_secret: "11e917490abf2306026ee6e3f49137ca911bd166dc0b8f4bccd62602bf9e6966" +vault_matrix_form_secret: "f61c53b083b51e14d2875940971b9e2d5f9ea4c69944cecf458075bf055eca45" +vault_matrix_admin_password: "your_admin_password_here" \ No newline at end of file diff --git a/olimp-deploy.yml b/olimp-deploy.yml index 3367dbb..4972eb0 100644 --- a/olimp-deploy.yml +++ b/olimp-deploy.yml @@ -34,7 +34,7 @@ roles: - { role: docker, tags: deploy_docker } - { role: mumble, tags: deploy_mumble } - + - { role: matrix, tags: deploy_matrix } - hosts: manage roles: - { role: docker, tags: deploy_docker } diff --git a/roles/matrix/files/homeserver.yaml b/roles/matrix/files/homeserver.yaml new file mode 100644 index 0000000..a68ef0b --- /dev/null +++ b/roles/matrix/files/homeserver.yaml @@ -0,0 +1,56 @@ +server_name: "{{ matrix_server_name }}" +pid_file: /data/homeserver.pid +public_baseurl: "https://{{ matrix_domain }}/" +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false + +database: + name: psycopg2 + args: + user: synapse + password: "{{ matrix_postgres_password }}" + database: synapse + host: matrix-postgres + cp_min: 5 + cp_max: 10 + +log_config: "/data/log.config" +media_store_path: /data/media_store +uploads_path: /data/uploads +enable_registration: {{ matrix_registration_enabled }} +enable_registration_without_verification: false +registration_shared_secret: "{{ matrix_synapse_secret }}" +macaroon_secret_key: "{{ matrix_macaroon_secret }}" +form_secret: "{{ matrix_form_secret }}" + +report_stats: {{ "true" if matrix_report_stats else "false" }} + +retention: + enabled: true + default_policy: + min_lifetime: 1d + max_lifetime: 30d + +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +max_upload_size: "50M" + +# Federation +federation_domain_whitelist: ~ +allow_public_rooms_over_federation: true \ No newline at end of file diff --git a/roles/matrix/files/log.config b/roles/matrix/files/log.config new file mode 100644 index 0000000..f58ddd7 --- /dev/null +++ b/roles/matrix/files/log.config @@ -0,0 +1,29 @@ +version: 1 +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /data/homeserver.log + maxBytes: 104857600 + backupCount: 10 + filters: [context] + level: INFO + console: + class: logging.StreamHandler + formatter: precise + level: INFO +loggers: + synapse: + level: INFO + synapse.storage.SQL: + level: INFO +root: + level: INFO + handlers: [file, console] \ No newline at end of file diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml new file mode 100644 index 0000000..7355fe0 --- /dev/null +++ b/roles/matrix/tasks/main.yml @@ -0,0 +1,95 @@ +--- +- name: Create Matrix directories + file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: "991" + group: "991" + loop: + - "{{ matrix_base_dir }}" + - "{{ matrix_data_dir }}" + - "{{ matrix_config_dir }}" + - "{{ matrix_media_dir }}" + - "{{ matrix_postgres_dir }}" + +- name: Generate Synapse configuration + docker_container: + name: matrix-config-generator + image: matrixdotorg/synapse:latest + command: | + python -m synapse.app.homeserver \ + --server-name {{ matrix_server_name }} \ + --config-path /data/homeserver.yaml \ + --generate-config \ + --report-stats={{ "yes" if matrix_report_stats else "no" }} + volumes: + - "{{ matrix_config_dir }}:/data" + auto_remove: true + +- name: Copy custom configuration files + copy: + src: "{{ item }}" + dest: "{{ matrix_config_dir }}/" + mode: 0644 + loop: + - "homeserver.yaml" + - "log.config" + +- name: Set proper permissions on config files + file: + path: "{{ matrix_config_dir }}/{{ item }}" + owner: "991" + group: "991" + mode: "0644" + loop: + - "homeserver.yaml" + - "log.config" + +- name: Deploy Matrix docker-compose.yml + template: + src: "docker-compose.yml.j2" + dest: "{{ matrix_base_dir }}/docker-compose.yml" + mode: 0644 + +- name: Start Matrix services + shell: | + cd {{ matrix_base_dir }} + docker compose up -d + args: + executable: /bin/bash + +- name: Wait for services to start + pause: + seconds: 30 + +- name: Check Matrix container status + shell: | + docker ps --filter name=matrix-synapse + docker ps --filter name=matrix-postgres + register: matrix_status + changed_when: false + +- name: Show Matrix status + debug: + var: matrix_status.stdout + +- name: Register admin user (if specified) + shell: | + cd {{ matrix_base_dir }} + docker exec matrix-synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml -u admin -p {{ vault_matrix_admin_password }} --admin + when: matrix_admin_user != "" and matrix_registration_enabled + ignore_errors: true + +- name: Show connection info + debug: + msg: | + Matrix Synapse deployed! + Server: {{ matrix_server_name }} + Client port: {{ matrix_port }} + Admin: {{ matrix_admin_user }} + + Next steps: + 1. Configure reverse proxy in NPM + 2. Open ports in firewall if needed + 3. Configure SSL certificates \ No newline at end of file diff --git a/roles/matrix/templates/docker-compose.yml.j2 b/roles/matrix/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..7c3e44c --- /dev/null +++ b/roles/matrix/templates/docker-compose.yml.j2 @@ -0,0 +1,40 @@ +version: '3.8' + +services: + matrix-postgres: + image: postgres:13 + container_name: matrix-postgres + environment: + POSTGRES_DB: synapse + POSTGRES_USER: synapse + POSTGRES_PASSWORD: {{ matrix_postgres_password }} + POSTGRES_INITDB_ARGS: "--encoding=UTF8 --lc-collate=C --lc-ctype=C" + volumes: + - {{ matrix_postgres_dir }}:/var/lib/postgresql/data + restart: always + healthcheck: + test: ["CMD-SHELL", "pg_isready -U synapse"] + interval: 5s + timeout: 5s + retries: 5 + + matrix-synapse: + image: matrixdotorg/synapse:latest + container_name: matrix-synapse + ports: + - "{{ matrix_port }}:8008" + volumes: + - {{ matrix_data_dir }}:/data + - {{ matrix_config_dir }}:/data + - {{ matrix_media_dir }}:/data/media + environment: + SYNAPSE_CONFIG_PATH: /data/homeserver.yaml + depends_on: + matrix-postgres: + condition: service_healthy + restart: always + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8008/health"] + interval: 15s + timeout: 5s + retries: 3 \ No newline at end of file