---
- name: create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ matrix_domain }}"]
when: 'matrix_domain is defined'
- name: install packages
pacman:
name:
- coturn
- freetype2
- gcc
- git
- jemalloc
- libffi
- libjpeg-turbo
- libolm
- libtiff
- libwebp
- libxslt
- libzip
- make
- npm
- openssl
- pkgconf
- postgresql-libs
- python
- redis
- tcl
- tk
- yarn
- zlib
- name: add synapse group
group: name=synapse system=yes gid=198
- name: add synapse user
user: name=synapse system=yes uid=198 group=synapse home=/var/lib/synapse shell=/bin/false createhome=no
- name: create synapse home
file: path={{ item }} state=directory owner=synapse group=synapse mode=0700
with_items:
- /var/lib/synapse
- /var/lib/synapse/media_store
- /var/lib/synapse/mjolnir-data
- /var/lib/synapse/pantalaimon-data
- name: make virtualenvs
command: 'python -m venv {{ item }}'
args:
creates: '{{ item }}/bin/python'
become: true
become_user: synapse
become_method: sudo
with_items:
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
- name: update virtualenvs
pip:
name:
- pip
- wheel
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: '{{ item }}'
become: true
become_user: synapse
become_method: sudo
with_items:
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
- name: install synapse
pip:
name:
- 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.57.0'
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: /var/lib/synapse/venv
become: true
become_user: synapse
become_method: sudo
register: synapse_pip
notify:
- restart synapse
- name: install pantalaimon
pip:
name:
- 'pantalaimon==0.10.4'
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: /var/lib/synapse/venv-pantalaimon
become: true
become_user: synapse
become_method: sudo
notify:
- restart pantalaimon
- name: download mjolnir
git:
repo: https://github.com/matrix-org/mjolnir
dest: /var/lib/synapse/mjolnir
version: v1.4.1
force: true
become: true
become_user: synapse
become_method: sudo
register: mjolnir_git
notify:
- restart mjolnir
- name: install mjolnir
community.general.yarn:
path: /var/lib/synapse/mjolnir
become: true
become_user: synapse
become_method: sudo
when: mjolnir_git.changed
- name: build mjolnir
command: yarn build
args:
chdir: /var/lib/synapse/mjolnir
become: true
become_user: synapse
become_method: sudo
when: mjolnir_git.changed
- name: install mjolnir antispam module
pip:
name:
- /var/lib/synapse/mjolnir/synapse_antispam
state: latest
virtualenv: /var/lib/synapse/venv
become: true
become_user: synapse
become_method: sudo
when: synapse_pip.changed or mjolnir_git.changed
notify:
- restart synapse
- name: download matrix-appservice-irc
git:
repo: https://github.com/matrix-org/matrix-appservice-irc
dest: /var/lib/synapse/matrix-appservice-irc
version: 0.33.0
force: true
become: true
become_user: synapse
become_method: sudo
register: irc_git
notify:
- restart matrix-appservice-irc
- name: install matrix-appservice-irc
community.general.npm:
path: /var/lib/synapse/matrix-appservice-irc
ci: true
become: true
become_user: synapse
become_method: sudo
when: irc_git.changed
- name: install pg_hba.conf
copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
notify:
- restart postgres
- name: add synapse postgres db
postgresql_db: db=synapse
become: true
become_user: postgres
become_method: su
- name: add synapse postgres user
postgresql_user: db=synapse user=synapse password={{ vault_postgres_users.synapse }}
become: true
become_user: postgres
become_method: su
- name: add irc postgres db
postgresql_db: db=irc
become: true
become_user: postgres
become_method: su
- name: create synapse config dir
file: path={{ item }} state=directory owner=root group=synapse mode=0750
with_items:
- /etc/synapse
- /etc/synapse/mjolnir
- name: install homeserver config
template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
notify:
- restart synapse
- name: install static config
copy: src={{ item }} dest=/etc/synapse/{{ item }} owner=root group=root mode=0644
with_items:
- log_config.yaml
- worker-appservice.yaml
- worker-federation_reader.yaml
- worker-federation_sender.yaml
- worker-media_repository.yaml
notify:
- restart synapse
- name: install pantalaimon config
template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
notify:
- restart pantalaimon
- name: install mjolnir config
template: src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640
notify:
- restart mjolnir
- name: install irc-bridge config
template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
notify:
- restart matrix-appservice-irc
- name: install irc-bridge registration
template: src=appservice-registration-irc.yaml.j2 dest=/etc/synapse/appservice-registration-irc.yaml owner=root group=synapse mode=0640
notify:
- restart synapse
- name: install signing key
copy:
content: '{{ vault_matrix_secrets.signing_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.signing.key
owner: root
group: synapse
mode: 0640
- name: install ircpass key
copy:
content: '{{ vault_matrix_secrets.ircpass_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key
owner: root
group: synapse
mode: 0640
- name: make nginx log dir
file: path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0640
notify:
- reload nginx
when: 'matrix_domain is defined'
tags: ['nginx']
- name: install turnserver.conf
template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=turnserver group=turnserver mode=0600
notify:
- restart turnserver
- name: install turnserver cert renewal hook
copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
- name: install synapse units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- synapse.service
- synapse-worker@.service
notify:
- restart synapse
- name: install pantalaimon units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- pantalaimon.service
notify:
- restart pantalaimon
- name: install mjolnir units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- mjolnir.service
notify:
- restart mjolnir
- name: install matrix-appservice-irc units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- matrix-appservice-irc.service
notify:
- restart matrix-appservice-irc
- name: enable synapse units
service: name={{ item }} enabled=yes
with_items:
- synapse.service
- synapse-worker@appservice.service
- synapse-worker@federation_reader.service
- synapse-worker@federation_sender.service
- synapse-worker@media_repository.service
notify:
- restart synapse
- name: enable pantalaimon units
service: name={{ item }} enabled=yes
with_items:
- pantalaimon.service
notify:
- restart pantalaimon
- name: enable mjolnir units
service: name={{ item }} enabled=yes
with_items:
- mjolnir.service
notify:
- restart mjolnir
- name: enable matrix-appservice-irc units
service: name={{ item }} enabled=yes
with_items:
- matrix-appservice-irc.service
notify:
- restart matrix-appservice-irc
- name: enable turnserver units
service: name={{ item }} enabled=yes
with_items:
- turnserver.service
notify:
- restart turnserver
- name: open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
# synapse's identd
- 113/tcp
# turnserver
- 3478-3479/tcp
- 3478-3479/udp
- 5349-5350/tcp
- 5349-5350/udp
- 33000-33999/udp
when: configure_firewall
tags:
- firewall