- name: Create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ matrix_domain }}"]
when: 'matrix_domain is defined'
- name: Install packages
pacman:
name:
- coturn
- freetype2
- gcc
- git
- icu
- jemalloc
- libffi
- libjpeg-turbo
- libolm
- libtiff
- libwebp
- libxslt
- libzip
- make
- nodejs-lts-iron
- npm
- openssl
- pkgconf
- postgresql-libs
- python
- rust
- tcl
- tk
- valkey
- yarn
- zlib
- name: Add synapse group
group: name=synapse system=yes gid=198
- name: Add synapse user
user: name=synapse system=yes uid=198 group=synapse home=/var/lib/synapse shell=/bin/false createhome=no
- name: Create synapse home
file: path={{ item }} state=directory owner=synapse group=synapse mode=0700
with_items:
- /var/lib/synapse
- /var/lib/synapse/media_store
- /var/lib/synapse/draupnir-data
- /var/lib/synapse/pantalaimon-data
- name: Make virtualenvs
command: 'python -m venv {{ item }}'
args:
creates: '{{ item }}/bin/python'
become: true
become_user: synapse
become_method: ansible.builtin.sudo
with_items:
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
- name: Update virtualenvs
pip:
name:
- pip
- wheel
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: '{{ item }}'
become: true
become_user: synapse
become_method: ansible.builtin.sudo
with_items:
- /var/lib/synapse/venv
- /var/lib/synapse/venv-pantalaimon
- name: Install synapse
pip:
name:
- 'matrix-synapse[postgres,oidc,systemd,url-preview,redis,user-search]==1.114.0'
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: /var/lib/synapse/venv
become: true
become_user: synapse
become_method: ansible.builtin.sudo
register: synapse_pip
notify:
- Restart synapse
- name: Install pantalaimon
pip:
name:
- 'aiofiles==23.2.1'
- 'aiohttp==3.9.5'
- 'aiohttp-socks==0.7.1'
- 'aiosignal==1.3.1'
- 'appdirs==1.4.4'
- 'async-timeout==4.0.3'
- 'atomicwrites==1.4.1'
- 'attrs==23.2.0'
- 'cachetools==4.2.4'
- 'cffi==1.16.0'
- 'click==8.1.7'
- 'cryptography==42.0.8'
- 'frozenlist==1.4.1'
- 'future==0.18.3'
- 'h11==0.14.0'
- 'h2==4.1.0'
- 'hpack==4.0.0'
- 'hyperframe==6.0.1'
- 'idna==3.7'
- 'janus==1.0.0'
- 'jaraco.classes==3.4.0'
- 'jaraco.context==5.3.0'
- 'jaraco.functools==4.0.1'
- 'jeepney==0.8.0'
- 'jsonschema==4.23.0'
- 'jsonschema-specifications==2023.12.1'
- 'keyring==25.2.1'
- 'Logbook==1.7.0.post0'
- 'matrix-nio==0.22.0'
- 'more-itertools==10.3.0'
- 'multidict==6.0.5'
- 'pantalaimon==0.10.5'
- 'peewee==3.17.6'
- 'prompt_toolkit==3.0.47'
- 'pycparser==2.22'
- 'pycryptodome==3.20.0'
- 'python-olm==3.2.16'
- 'python-socks==2.5.0'
- 'referencing==0.35.1'
- 'rpds-py==0.19.0'
- 'SecretStorage==3.3.3'
- 'typing_extensions==4.12.2'
- 'unpaddedbase64==2.1.0'
- 'wcwidth==0.2.13'
- 'wheel==0.43.0'
- 'yarl==1.9.4'
state: latest
extra_args: '--upgrade-strategy=eager --no-deps'
virtualenv: /var/lib/synapse/venv-pantalaimon
become: true
become_user: synapse
become_method: ansible.builtin.sudo
notify:
- Restart pantalaimon
- name: Download draupnir
git:
repo: https://github.com/the-draupnir-project/Draupnir
dest: /var/lib/synapse/draupnir
version: v1.87.0
force: true
become: true
become_user: synapse
become_method: ansible.builtin.sudo
register: draupnir_git
notify:
- Restart draupnir
- name: Install draupnir
community.general.yarn:
path: /var/lib/synapse/draupnir
become: true
become_user: synapse
become_method: ansible.builtin.sudo
when: draupnir_git.changed
- name: Build draupnir # noqa no-changed-when
command: yarn build
args:
chdir: /var/lib/synapse/draupnir
become: true
become_user: synapse
become_method: ansible.builtin.sudo
when: draupnir_git.changed
- name: Install draupnir antispam module
pip:
name:
- /var/lib/synapse/draupnir/synapse_antispam
state: latest
virtualenv: /var/lib/synapse/venv
become: true
become_user: synapse
become_method: ansible.builtin.sudo
when: synapse_pip.changed or draupnir_git.changed
notify:
- Restart synapse
- name: Download matrix-appservice-irc
git:
repo: https://github.com/matrix-org/matrix-appservice-irc
dest: /var/lib/synapse/matrix-appservice-irc
version: 2.0.1
force: true
become: true
become_user: synapse
become_method: ansible.builtin.sudo
register: irc_git
notify:
- Restart matrix-appservice-irc
- name: Install matrix-appservice-irc
community.general.yarn:
path: /var/lib/synapse/matrix-appservice-irc
become: true
become_user: synapse
become_method: ansible.builtin.sudo
when: irc_git.changed
- name: Build matrix-appservice-irc # noqa no-changed-when
command: yarn build
args:
chdir: /var/lib/synapse/matrix-appservice-irc
become: true
become_user: synapse
become_method: ansible.builtin.sudo
when: irc_git.changed
- name: Install pg_hba.conf
copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
notify:
- Restart postgres
- name: Add synapse postgres db
postgresql_db: db=synapse lc_collate=C lc_ctype=C template=template0
become: true
become_user: postgres
become_method: ansible.builtin.su
- name: Add synapse postgres user
postgresql_user: db=synapse user=synapse password={{ vault_postgres_users.synapse }}
become: true
become_user: postgres
become_method: ansible.builtin.su
- name: Add irc postgres db
postgresql_db: db=irc
become: true
become_user: postgres
become_method: ansible.builtin.su
- name: Create synapse config dir
file: path={{ item }} state=directory owner=root group=synapse mode=0750
with_items:
- /etc/synapse
- name: Install homeserver config
template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
notify:
- Restart synapse
- name: Install static config
copy: src={{ item }} dest=/etc/synapse/{{ item }} owner=root group=root mode=0644
with_items:
- log_config.yaml
- worker-appservice.yaml
- worker-federation_reader.yaml
- worker-federation_sender.yaml
- worker-media_repository.yaml
notify:
- Restart synapse
- name: Install pantalaimon config
template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
notify:
- Restart pantalaimon
- name: Install draupnir config
template: src=draupnir.yaml.j2 dest=/etc/synapse/draupnir.yaml owner=root group=synapse mode=0640
notify:
- Restart draupnir
- name: Install irc-bridge config
template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
notify:
- Restart matrix-appservice-irc
- name: Install irc-bridge registration
template: src=appservice-registration-irc.yaml.j2 dest=/etc/synapse/appservice-registration-irc.yaml owner=root group=synapse mode=0640
notify:
- Restart synapse
- name: Install signing key # noqa template-instead-of-copy
copy:
content: '{{ vault_matrix_secrets.signing_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.signing.key
owner: root
group: synapse
mode: '0640'
- name: Install ircpass key # noqa template-instead-of-copy
copy:
content: '{{ vault_matrix_secrets.ircpass_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key
owner: root
group: synapse
mode: '0640'
- name: Make nginx log dir
file: path=/var/log/nginx/{{ matrix_domain }} state=directory owner=root group=root mode=0755
- name: Set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/matrix.conf owner=root group=root mode=0640
notify:
- Reload nginx
when: 'matrix_domain is defined'
tags: ['nginx']
- name: Install turnserver.conf
template: src=turnserver.conf.j2 dest=/etc/turnserver/turnserver.conf owner=turnserver group=turnserver mode=0600
notify:
- Restart turnserver
- name: Install turnserver cert renewal hook
copy: src=letsencrypt.hook.d dest=/etc/letsencrypt/hook.d/turnserver owner=root group=root mode=0755
- name: Install synapse units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- synapse.service
- synapse-worker@.service
notify:
- Restart synapse
- name: Install pantalaimon units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- pantalaimon.service
notify:
- Restart pantalaimon
- name: Install draupnir units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- draupnir.service
notify:
- Restart draupnir
- name: Install matrix-appservice-irc units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- matrix-appservice-irc.service
notify:
- Restart matrix-appservice-irc
- name: Install turnserver unit snippet
copy: src=turnserver.service.d dest=/etc/systemd/system/turnserver.service.d/override.conf owner=root group=root mode=0644
notify:
- Restart turnserver
- name: Enable units
service: name={{ item }} enabled=yes
with_items:
- synapse.service
- synapse-worker@appservice.service
- synapse-worker@federation_reader.service
- synapse-worker@federation_sender.service
- synapse-worker@media_repository.service
- pantalaimon.service
- draupnir.service
- matrix-appservice-irc.service
- turnserver.service
- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
# synapse's identd
- 113/tcp
# turnserver
- 2410-2411/tcp
- 2410-2411/udp
- 2420-2421/tcp
- 2420-2421/udp
- 33000-33999/udp
when: configure_firewall
tags:
- firewall