diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..289d224 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,22 @@ +--- +kind: pipeline +name: default + +steps: + - name: ansible-latest + image: python:2.7 + pull: always + commands: + - pip install ansible ansible-later -q + - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy + - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini + depends_on: [ clone ] + + - name: ansible-master + image: python:2.7 + pull: always + commands: + - pip install ansible ansible-later -q + - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy + - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini + depends_on: [ clone ] diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..7502a84 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,98 @@ +--- +matrix_version: 0.34.1.1 + +matrix_user: matrix +matrix_user_home: "/home/{{ matrix_user }}" +# matrix_uid: # defaults to not set +matrix_group: "{{ matrix_user }}" +# matrix_gid: # defaults to not set +matrix_extra_groups: [] + +# Ensure EPEL repo is available at this server +matrix_dependencies: + - "@Development tools" + - libtiff-devel + - libjpeg-devel + - libzip-devel + - freetype-devel + - lcms2-devel + - libwebp-devel + - tcl-devel + - tk-devel + - redhat-rpm-config + - python-virtualenv + - libffi-devel + - openssl-devel + - postgresql-devel + - libpqxx-devel.x86_64 + +# Create separate LVM storage for matrix +matrix_lvm_enabled: False +# This variables are only necessary if matrix_lvm_enabled is 'True' +# Set physical volumes to use in LVM +# matrix_lvm_pvs: # ['/dev/sdb', '/dev/sdc'] +# matrix_lvm_vg: # "vg_matrix" +# matrix_lvm_lv: # "lv_matrix" +# matrix_lvm_fstype: # ext4 +# matrix_lvm_size: # "50G" + +matrix_base_dir: "/opt/matrix" +matrix_conf_dir: "{{ matrix_base_dir }}/config" + +matrix_base_url: http://localhost +matrix_bind_ip: 127.0.0.1 +matrix_bind_port: 3000 + +matrix_postgres_enabled: False +matrix_postgres_tls_enabled: False +matrix_postgres_server: postgres.example.com +matrix_postgres_port: 5432 +matrix_postgres_superuser: postgres +matrix_postgres_password: secure + +matrix_postgres_db: + name: matrix + lc_collate: en_US.UTF-8 + lc_ctype: en_US.UTF-8' + encoding: UTF-8 + template: template0 + login_host: localhost + login_user: "{{ matrix_postgres_superuser }}" + login_password: "{{ matrix_postgres_password }}" + # login_unix_socket: # defaults to not set + port: "{{ matrix_postgres_port }}" + # owner: # defaults to not set + state: present + +matrix_postgres_user: + name: pgmatrix + password: matrix + encrypted: 'yes' + # priv: # defaults to not set + # role_attr_flags: # defaults to not set + db: "{{ matrix_postgres_db.name }}" + login_host: localhost + login_user: "{{ matrix_postgres_superuser }}" + login_password: "{{ matrix_postgres_password }}" + # login_unix_socket: # defaults to not set + port: "{{ matrix_postgres_port }}" + state: present + +matrix_iptables_enabled: False +matrix_open_ports: + - name: allow_matrix_web + rules: | + -A INPUT -m state --state NEW -p tcp --dport {{ matrix_bind_port }} -j ACCEPT + state: present + +matrix_tls_cert_source: mycert.pem +matrix_tls_key_source: mykey.pem + +matrix_nginx_vhost_enabled: False +matrix_nginx_server: localhost +matrix_nginx_vhost_dir: /etc/nginx/sites-available +matrix_nginx_vhost_symlink: /etc/nginx/sites-enabled +matrix_nginx_iptables_enabled: False +matrix_nginx_tls_enabled: False +matrix_nginx_tls_cert_file: matrix-cert.pem +matrix_nginx_tls_key_file: matrix-key.pem diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..f31c68b --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,19 @@ +--- +- name: Restart rocketchat service + systemd: + name: rocketchat + state: restarted + daemon_reload: yes + enabled: yes + listen: __rocketchat_restart + become: True + become_user: root + +- name: Reload nginx + systemd: + state: reloaded + name: nginx + listen: __nginx_reload + delegate_to: "{{ rocketchat_nginx_server }}" + become: True + become_user: root diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..d18f291 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,13 @@ +# Standards: 0.1 +--- +galaxy_info: + author: Robert Kaussow + description: + license: Robert Kaussow + min_ansible_version: 2.6 + platforms: + - name: EL + versions: + - 7 + galaxy_tags: +dependencies: [] diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..47a4dcb --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,61 @@ +--- +- name: Prepare base folders + file: + path: "{{ item }}" + state: directory + owner: "{{ matrix_user }}" + group: "{{ matrix_user }}" + mode: 0750 + loop: + - "{{ matrix_base_dir }}" + - "{{ matrix_conf_dir }}" + become: True + become_user: root + +- block: + - name: Upgrade python dependencies + pip: + name: "{{ item }}" + virtualenv: "{{ matrix_base_dir }}/env" + virtualenv_command: virtualenv + extra_args: --upgrade + loop: + - pip + - setuptools + - psycopg2 + + - name: Install with pip and virtualenv + pip: + name: synapse + version: "{{ matrix_version }}" + virtualenv: "{{ matrix_base_dir }}/env" + virtualenv_command: virtualenv + + - name: Copy global config files + template: + src: "opt/matrix/config/homeserver.yml.j2" + dest: "{{ matrix_conf_dir }}/homeserver.yml" + notify: __matrix_restart + become: True + become_user: "{{ matrix_user }}" + +- block: + - name: Copy systemd unit file + template: + src: "etc/systemd/system/matrix.service.j2" + dest: "/etc/systemd/system/matrix.service" + notify: __matrix_restart + + - name: Open ports in iptables + iptables_raw: + name: "{{ item.name }}" + rules: "{{ item.rules }}" + state: "{{ item.state }}" + weight: "{{ item.weight | default(omit) }}" + table: "{{ item.table | default(omit) }}" + with_items: "{{ matrix_open_ports }}" + loop_control: + label: "{{ item.name }}" + when: matrix_iptables_enabled + become: True + become_user: root diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..be7aca6 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- include_tasks: prepare.yml +- import_tasks: storage.yml + when: matrix_lvm_enabled +- include_tasks: install.yml +- import_tasks: nginx.yml + when: matrix_nginx_vhost_enabled +- include_tasks: post_tasks.yml diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..79569d2 --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,48 @@ +--- +- block: + - name: Copy certs and private key to nginx proxy + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ matrix_tls_key_source }}", dest: '/etc/pki/tls/private/{{ matrix_nginx_tls_key_file }}', mode: '0600' } + - { src: "{{ matrix_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + notify: __nginx_reload + delegate_to: "{{ matrix_nginx_server }}" + when: matrix_nginx_tls_enabled + become: True + become_user: root + tags: tls_renewal + +- block: + - name: Add vhost configuration file + template: + src: nginx/vhost.j2 + dest: "{{ matrix_nginx_vhost_dir }}/matrix" + owner: root + group: root + mode: 0640 + notify: __nginx_reload + + - name: Enable matrix vhost + file: + src: "{{ matrix_nginx_vhost_dir }}/matrix" + dest: "{{ matrix_nginx_vhost_symlink }}/matrix" + owner: root + group: root + state: link + notify: __nginx_reload + when: matrix_nginx_vhost_symlink is defined + + - name: Open ports in iptables + iptables_raw: + name: allow_matrix_nginx_proxy + state: present + rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ matrix_bind_ip }} --dport {{ matrix_bind_port }} -j ACCEPT' + when: matrix_nginx_iptables_enabled + delegate_to: "{{ matrix_nginx_server }}" + become: True + become_user: root diff --git a/tasks/post_tasks.yml b/tasks/post_tasks.yml new file mode 100644 index 0000000..9e9c6aa --- /dev/null +++ b/tasks/post_tasks.yml @@ -0,0 +1,9 @@ +--- +- name: Ensure matrix service is up and running + systemd: + state: started + daemon_reload: yes + enabled: yes + name: matrix + become: True + become_user: root diff --git a/tasks/prepare.yml b/tasks/prepare.yml new file mode 100644 index 0000000..bb7541f --- /dev/null +++ b/tasks/prepare.yml @@ -0,0 +1,60 @@ +--- +- block: + - name: Create group '{{ matrix_group }}' + group: + name: "{{ matrix_group }}" + state: present + gid: "{{ matrix_gid | default(omit) }}" + + - name: Create user '{{ matrix_user }}' + user: + comment: matrix + name: "{{ matrix_user }}" + home: "{{ matrix_user_home }}" + uid: "{{ matrix_uid | default(omit) }}" + group: "{{ matrix_group }}" + groups: "{{ matrix_extra_groups | join(',') }}" + + - name: Install dependencies + package: + name: "{{ item }}" + state: present + loop: "{{ matrix_dependencies }}" + become: True + become_user: root + +- block: + - name: Setup postgres db '{{ matrix_postgres_db.name }}' + postgresql_db: + name: "{{ matrix_postgres_db.name }}" + lc_collate: "{{ matrix_postgres_db.lc_collate | default('en_US.UTF-8') }}" + lc_ctype: "{{ matrix_postgres_db.lc_ctype | default('en_US.UTF-8') }}" + encoding: "{{ matrix_postgres_db.encoding | default('UTF-8') }}" + template: "{{ matrix_postgres_db.template | default('template0') }}" + login_host: "{{ matrix_postgres_db.login_host | default('localhost') }}" + login_password: "{{ matrix_postgres_db.login_password | default(omit) }}" + login_user: "{{ matrix_postgres_db.login_user | default(postgresql_user) }}" + login_unix_socket: "{{ matrix_postgres_db.login_unix_socket | default(omit) }}" + port: "{{ matrix_postgres_db.port | default(omit) }}" + owner: "{{ matrix_postgres_db.owner | default(omit) }}" + state: "{{ matrix_postgres_db.state | default('present') }}" + no_log: True + when: matrix_postgres_db is defined + + - name: Setup postgres user '{{ matrix_postgres_user.name }}' + postgresql_user: + name: "{{ matrix_postgres_user.name }}" + password: "{{ 'md5' + (matrix_postgres_user.password + matrix_postgres_user.name) | hash('md5') }}" + encrypted: "{{ matrix_postgres_user.encrypted | default('yes') }}" + priv: "{{ matrix_postgres_user.priv | default(omit) }}" + role_attr_flags: "{{ matrix_postgres_user.role_attr_flags | default(omit) }}" + db: "{{ matrix_postgres_user.db | default(omit) }}" + login_host: "{{ matrix_postgres_user.login_host | default('localhost') }}" + login_password: "{{ matrix_postgres_user.login_password | default(omit) }}" + login_user: "{{ matrix_postgres_user.login_user | default(omit) }}" + login_unix_socket: "{{ matrix_postgres_user.login_unix_socket | default(omit) }}" + port: "{{ matrix_postgres_user.port | default(omit) }}" + state: "{{ matrix_postgres_user.state | default('present') }}" + no_log: True + when: matrix_postgres_user is defined + delegate_to: "{{ matrix_postgres_server }}" diff --git a/tasks/storage.yml b/tasks/storage.yml new file mode 100644 index 0000000..4f73491 --- /dev/null +++ b/tasks/storage.yml @@ -0,0 +1,27 @@ +--- +- block: + - name: Create volume group '{{ matrix_lvm_vg }}' + lvg: + vg: "{{ matrix_lvm_vg }}" + pvs: "{{ matrix_lvm_pvs | join(',') }}" + + - name: Create logical volume '{{ matrix_lvm_lv }}' + lvol: + vg: "{{ matrix_lvm_vg }}" + lv: "{{ matrix_lvm_lv }}" + size: "{{ matrix_lvm_size }}" + + - name: Create filesystem for '/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}' + filesystem: + fstype: "{{ matrix_lvm_fstype }}" + dev: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}" + resizefs: True + + - name: Mount volume to '{{ matrix_base_dir }}' + mount: + path: "{{ matrix_base_dir }}" + src: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}" + fstype: "{{ matrix_lvm_fstype }}" + state: mounted + become: True + become_user: root diff --git a/templates/etc/systemd/system/matrix.service.j2 b/templates/etc/systemd/system/matrix.service.j2 new file mode 100644 index 0000000..80f994b --- /dev/null +++ b/templates/etc/systemd/system/matrix.service.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: True +## {{ ansible_managed }} +[Unit] +Description=Matrix Synapse service +After=network.target + +[Service] +Type=forking +WorkingDirectory=/opt/synapse/ +ExecStart=/opt/synapse/bin/synctl start +ExecStop=/opt/synapse/bin/synctl stop +ExecReload=/opt/synapse/bin/synctl restart +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=synapse + +[Install] +WantedBy=multi-user.target diff --git a/templates/nginx/vhost.j2 b/templates/nginx/vhost.j2 new file mode 100644 index 0000000..58c3363 --- /dev/null +++ b/templates/nginx/vhost.j2 @@ -0,0 +1,38 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} +upstream backend_matrix { + server {{ matrix_bind_ip }}:{{ matrix_bind_port }}; +} + +server { + listen 80; + server_name {{ matrix_base_url | urlsplit('hostname') }}; + + client_max_body_size 200M; + + {% if matrix_nginx_tls_enabled %} + return 301 https://$server_name$request_uri; + {% else %} + location / { + proxy_pass http://backend_matrix; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} +} + +{% if matrix_nginx_tls_enabled %} +server { + listen 443 ssl; + server_name {{ matrix_base_url | urlsplit('hostname') }}; + + client_max_body_size 200M; + + location / { + proxy_pass http://backend_matrix; + proxy_set_header X-Forwarded-For $remote_addr; + } + + ssl_certificate /etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }}; + ssl_certificate_key /etc/pki/tls/private/{{ matrix_nginx_tls_key_file }}; +} +{% endif %} diff --git a/templates/opt/matrix/config/homeserver.yml.j2 b/templates/opt/matrix/config/homeserver.yml.j2 new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/templates/opt/matrix/config/homeserver.yml.j2 @@ -0,0 +1 @@ +---