initial commit

2019-01-18 14:52:23 +01:00 · 2019-01-18 14:52:23 +01:00 · dfe1c69729
parent 59158e48e0
commit dfe1c69729
13 changed files with 423 additions and 0 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,22 @@
+---
+kind: pipeline
+name: default
+
+steps:
+  - name: ansible-latest
+    image: python:2.7
+    pull: always
+    commands:
+      - pip install ansible ansible-later -q
+      - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy
+      - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini
+    depends_on: [ clone ]
+
+  - name: ansible-master
+    image: python:2.7
+    pull: always
+    commands:
+      - pip install ansible ansible-later -q
+      - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy
+      - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini
+    depends_on: [ clone ]
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,98 @@
+---
+matrix_version: 0.34.1.1
+
+matrix_user: matrix
+matrix_user_home: "/home/{{ matrix_user }}"
+# matrix_uid: # defaults to not set
+matrix_group: "{{ matrix_user }}"
+# matrix_gid: # defaults to not set
+matrix_extra_groups: []
+
+# Ensure EPEL repo is available at this server
+matrix_dependencies:
+  - "@Development tools"
+  - libtiff-devel
+  - libjpeg-devel
+  - libzip-devel
+  - freetype-devel
+  - lcms2-devel
+  - libwebp-devel
+  - tcl-devel
+  - tk-devel
+  - redhat-rpm-config
+  - python-virtualenv
+  - libffi-devel
+  - openssl-devel
+  - postgresql-devel
+  - libpqxx-devel.x86_64
+
+# Create separate LVM storage for matrix
+matrix_lvm_enabled: False
+# This variables are only necessary if matrix_lvm_enabled is 'True'
+# Set physical volumes to use in LVM
+# matrix_lvm_pvs: # ['/dev/sdb', '/dev/sdc']
+# matrix_lvm_vg:  # "vg_matrix"
+# matrix_lvm_lv: # "lv_matrix"
+# matrix_lvm_fstype: # ext4
+# matrix_lvm_size: # "50G"
+
+matrix_base_dir: "/opt/matrix"
+matrix_conf_dir: "{{ matrix_base_dir }}/config"
+
+matrix_base_url: http://localhost
+matrix_bind_ip: 127.0.0.1
+matrix_bind_port: 3000
+
+matrix_postgres_enabled: False
+matrix_postgres_tls_enabled: False
+matrix_postgres_server: postgres.example.com
+matrix_postgres_port: 5432
+matrix_postgres_superuser: postgres
+matrix_postgres_password: secure
+
+matrix_postgres_db:
+  name: matrix
+  lc_collate: en_US.UTF-8
+  lc_ctype: en_US.UTF-8'
+  encoding: UTF-8
+  template: template0
+  login_host: localhost
+  login_user: "{{ matrix_postgres_superuser }}"
+  login_password: "{{ matrix_postgres_password }}"
+  # login_unix_socket: # defaults to not set
+  port: "{{ matrix_postgres_port }}"
+  # owner: # defaults to not set
+  state: present
+
+matrix_postgres_user:
+  name: pgmatrix
+  password: matrix
+  encrypted: 'yes'
+  # priv: # defaults to not set
+  # role_attr_flags: # defaults to not set
+  db: "{{ matrix_postgres_db.name }}"
+  login_host: localhost
+  login_user: "{{ matrix_postgres_superuser }}"
+  login_password: "{{ matrix_postgres_password }}"
+  # login_unix_socket: # defaults to not set
+  port: "{{ matrix_postgres_port }}"
+  state: present
+
+matrix_iptables_enabled: False
+matrix_open_ports:
+  - name: allow_matrix_web
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport {{ matrix_bind_port }} -j ACCEPT
+    state: present
+
+matrix_tls_cert_source: mycert.pem
+matrix_tls_key_source: mykey.pem
+
+matrix_nginx_vhost_enabled: False
+matrix_nginx_server: localhost
+matrix_nginx_vhost_dir: /etc/nginx/sites-available
+matrix_nginx_vhost_symlink: /etc/nginx/sites-enabled
+matrix_nginx_iptables_enabled: False
+matrix_nginx_tls_enabled: False
+matrix_nginx_tls_cert_file: matrix-cert.pem
+matrix_nginx_tls_key_file: matrix-key.pem
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,19 @@
+---
+- name: Restart rocketchat service
+  systemd:
+    name: rocketchat
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+  listen: __rocketchat_restart
+  become: True
+  become_user: root
+
+- name: Reload nginx
+  systemd:
+    state: reloaded
+    name: nginx
+  listen: __nginx_reload
+  delegate_to: "{{ rocketchat_nginx_server }}"
+  become: True
+  become_user: root
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,13 @@
+# Standards: 0.1
+---
+galaxy_info:
+  author: Robert Kaussow
+  description:
+  license: Robert Kaussow
+  min_ansible_version: 2.6
+  platforms:
+    - name: EL
+      versions:
+        - 7
+  galaxy_tags:
+dependencies: []
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,61 @@
+---
+- name: Prepare base folders
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ matrix_user }}"
+    group: "{{ matrix_user }}"
+    mode: 0750
+  loop:
+    - "{{ matrix_base_dir }}"
+    - "{{ matrix_conf_dir }}"
+  become: True
+  become_user: root
+
+- block:
+    - name: Upgrade python dependencies
+      pip:
+        name: "{{ item }}"
+        virtualenv: "{{ matrix_base_dir }}/env"
+        virtualenv_command: virtualenv
+        extra_args: --upgrade
+      loop:
+        - pip
+        - setuptools
+        - psycopg2
+
+    - name: Install with pip and virtualenv
+      pip:
+        name: synapse
+        version: "{{ matrix_version }}"
+        virtualenv: "{{ matrix_base_dir }}/env"
+        virtualenv_command: virtualenv
+
+    - name: Copy global config files
+      template:
+        src: "opt/matrix/config/homeserver.yml.j2"
+        dest: "{{ matrix_conf_dir }}/homeserver.yml"
+      notify: __matrix_restart
+  become: True
+  become_user: "{{ matrix_user }}"
+
+- block:
+    - name: Copy systemd unit file
+      template:
+        src: "etc/systemd/system/matrix.service.j2"
+        dest: "/etc/systemd/system/matrix.service"
+      notify: __matrix_restart
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: "{{ item.name }}"
+        rules: "{{ item.rules }}"
+        state: "{{ item.state }}"
+        weight: "{{ item.weight | default(omit) }}"
+        table: "{{ item.table | default(omit) }}"
+      with_items: "{{ matrix_open_ports }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: matrix_iptables_enabled
+  become: True
+  become_user: root
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- include_tasks: prepare.yml
+- import_tasks: storage.yml
+  when: matrix_lvm_enabled
+- include_tasks: install.yml
+- import_tasks: nginx.yml
+  when: matrix_nginx_vhost_enabled
+- include_tasks: post_tasks.yml
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -0,0 +1,48 @@
+---
+- block:
+    - name: Copy certs and private key to nginx proxy
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      with_items:
+        - { src: "{{ matrix_tls_key_source }}", dest: '/etc/pki/tls/private/{{ matrix_nginx_tls_key_file }}', mode: '0600' }
+        - { src: "{{ matrix_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }}', mode: '0750' }
+      loop_control:
+        label: "{{ item.dest }}"
+      notify: __nginx_reload
+  delegate_to: "{{ matrix_nginx_server }}"
+  when: matrix_nginx_tls_enabled
+  become: True
+  become_user: root
+  tags: tls_renewal
+
+- block:
+    - name: Add vhost configuration file
+      template:
+        src: nginx/vhost.j2
+        dest: "{{ matrix_nginx_vhost_dir }}/matrix"
+        owner: root
+        group: root
+        mode: 0640
+      notify: __nginx_reload
+
+    - name: Enable matrix vhost
+      file:
+        src: "{{ matrix_nginx_vhost_dir }}/matrix"
+        dest: "{{ matrix_nginx_vhost_symlink }}/matrix"
+        owner: root
+        group: root
+        state: link
+      notify: __nginx_reload
+      when: matrix_nginx_vhost_symlink is defined
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: allow_matrix_nginx_proxy
+        state: present
+        rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ matrix_bind_ip }} --dport {{ matrix_bind_port }} -j ACCEPT'
+      when: matrix_nginx_iptables_enabled
+  delegate_to: "{{ matrix_nginx_server }}"
+  become: True
+  become_user: root
--- a/tasks/post_tasks.yml
+++ b/tasks/post_tasks.yml
@ -0,0 +1,9 @@
+---
+- name: Ensure matrix service is up and running
+  systemd:
+    state: started
+    daemon_reload: yes
+    enabled: yes
+    name: matrix
+  become: True
+  become_user: root
--- a/tasks/prepare.yml
+++ b/tasks/prepare.yml
@ -0,0 +1,60 @@
+---
+- block:
+    - name: Create group '{{ matrix_group }}'
+      group:
+        name: "{{ matrix_group }}"
+        state: present
+        gid: "{{ matrix_gid | default(omit) }}"
+
+    - name: Create user '{{ matrix_user }}'
+      user:
+        comment: matrix
+        name: "{{ matrix_user }}"
+        home: "{{ matrix_user_home }}"
+        uid: "{{ matrix_uid | default(omit) }}"
+        group: "{{ matrix_group }}"
+        groups: "{{ matrix_extra_groups | join(',') }}"
+
+    - name: Install dependencies
+      package:
+        name: "{{ item }}"
+        state: present
+      loop: "{{ matrix_dependencies }}"
+  become: True
+  become_user: root
+
+- block:
+    - name: Setup postgres db '{{ matrix_postgres_db.name }}'
+      postgresql_db:
+        name: "{{ matrix_postgres_db.name }}"
+        lc_collate: "{{ matrix_postgres_db.lc_collate | default('en_US.UTF-8') }}"
+        lc_ctype: "{{ matrix_postgres_db.lc_ctype | default('en_US.UTF-8') }}"
+        encoding: "{{ matrix_postgres_db.encoding | default('UTF-8') }}"
+        template: "{{ matrix_postgres_db.template | default('template0') }}"
+        login_host: "{{ matrix_postgres_db.login_host | default('localhost') }}"
+        login_password: "{{ matrix_postgres_db.login_password | default(omit) }}"
+        login_user: "{{ matrix_postgres_db.login_user | default(postgresql_user) }}"
+        login_unix_socket: "{{ matrix_postgres_db.login_unix_socket | default(omit) }}"
+        port: "{{ matrix_postgres_db.port | default(omit) }}"
+        owner: "{{ matrix_postgres_db.owner | default(omit) }}"
+        state: "{{ matrix_postgres_db.state | default('present') }}"
+      no_log: True
+      when: matrix_postgres_db is defined
+
+    - name: Setup postgres user '{{ matrix_postgres_user.name }}'
+      postgresql_user:
+        name: "{{ matrix_postgres_user.name }}"
+        password: "{{ 'md5' + (matrix_postgres_user.password + matrix_postgres_user.name) | hash('md5') }}"
+        encrypted: "{{ matrix_postgres_user.encrypted | default('yes') }}"
+        priv: "{{ matrix_postgres_user.priv | default(omit) }}"
+        role_attr_flags: "{{ matrix_postgres_user.role_attr_flags | default(omit) }}"
+        db: "{{ matrix_postgres_user.db | default(omit) }}"
+        login_host: "{{ matrix_postgres_user.login_host | default('localhost') }}"
+        login_password: "{{ matrix_postgres_user.login_password | default(omit) }}"
+        login_user: "{{ matrix_postgres_user.login_user | default(omit) }}"
+        login_unix_socket: "{{ matrix_postgres_user.login_unix_socket | default(omit) }}"
+        port: "{{ matrix_postgres_user.port | default(omit) }}"
+        state: "{{ matrix_postgres_user.state | default('present') }}"
+      no_log: True
+      when: matrix_postgres_user is defined
+  delegate_to: "{{ matrix_postgres_server }}"
--- a/tasks/storage.yml
+++ b/tasks/storage.yml
@ -0,0 +1,27 @@
+---
+- block:
+    - name: Create volume group '{{ matrix_lvm_vg }}'
+      lvg:
+        vg: "{{ matrix_lvm_vg }}"
+        pvs: "{{ matrix_lvm_pvs | join(',') }}"
+
+    - name: Create logical volume '{{ matrix_lvm_lv }}'
+      lvol:
+        vg: "{{ matrix_lvm_vg }}"
+        lv: "{{ matrix_lvm_lv }}"
+        size: "{{ matrix_lvm_size }}"
+
+    - name: Create filesystem for '/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}'
+      filesystem:
+        fstype: "{{ matrix_lvm_fstype }}"
+        dev: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}"
+        resizefs: True
+
+    - name: Mount volume to '{{ matrix_base_dir }}'
+      mount:
+        path: "{{ matrix_base_dir }}"
+        src: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}"
+        fstype: "{{ matrix_lvm_fstype }}"
+        state: mounted
+  become: True
+  become_user: root
--- a/templates/etc/systemd/system/matrix.service.j2
+++ b/templates/etc/systemd/system/matrix.service.j2
@ -0,0 +1,19 @@
+#jinja2: lstrip_blocks: True
+## {{ ansible_managed }}
+[Unit]
+Description=Matrix Synapse service
+After=network.target
+
+[Service]
+Type=forking
+WorkingDirectory=/opt/synapse/
+ExecStart=/opt/synapse/bin/synctl start
+ExecStop=/opt/synapse/bin/synctl stop
+ExecReload=/opt/synapse/bin/synctl restart
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=synapse
+
+[Install]
+WantedBy=multi-user.target
--- a/templates/nginx/vhost.j2
+++ b/templates/nginx/vhost.j2
@ -0,0 +1,38 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+upstream backend_matrix {
+    server {{ matrix_bind_ip }}:{{ matrix_bind_port }};
+}
+
+server {
+    listen 80;
+    server_name {{ matrix_base_url | urlsplit('hostname') }};
+
+    client_max_body_size 200M;
+
+    {% if matrix_nginx_tls_enabled %}
+    return 301 https://$server_name$request_uri;
+    {% else %}
+    location / {
+        proxy_pass http://backend_matrix;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+    {% endif %}
+}
+
+{% if matrix_nginx_tls_enabled %}
+server {
+    listen 443 ssl;
+    server_name {{ matrix_base_url | urlsplit('hostname') }};
+
+    client_max_body_size 200M;
+
+    location / {
+        proxy_pass http://backend_matrix;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+    ssl_certificate /etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }};
+    ssl_certificate_key /etc/pki/tls/private/{{ matrix_nginx_tls_key_file }};
+}
+{% endif %}
--- a/templates/opt/matrix/config/homeserver.yml.j2
+++ b/templates/opt/matrix/config/homeserver.yml.j2
@ -0,0 +1 @@
+---