initial commit

2019-01-18 14:52:23 +01:00 · 2019-01-18 14:52:23 +01:00 · dfe1c69729
commit dfe1c69729
parent 59158e48e0
13 changed files with 423 additions and 0 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,22 @@
 ---
 kind: pipeline
 name: default
 steps:
  - name: ansible-latest
    image: python:2.7
    pull: always
    commands:
      - pip install ansible ansible-later -q
      - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy
      - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini
    depends_on: [ clone ]
  - name: ansible-master
    image: python:2.7
    pull: always
    commands:
      - pip install ansible ansible-later -q
      - git clone https://gitea.rknet.org/ansible/ansible-later-policy.git ~/policy
      - git ls-files *[^LICENSE,.md] | xargs ansible-later -c ~/policy/config.ini
    depends_on: [ clone ]
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,98 @@
 ---
 matrix_version: 0.34.1.1
 matrix_user: matrix
 matrix_user_home: "/home/{{ matrix_user }}"
 # matrix_uid: # defaults to not set
 matrix_group: "{{ matrix_user }}"
 # matrix_gid: # defaults to not set
 matrix_extra_groups: []
 # Ensure EPEL repo is available at this server
 matrix_dependencies:
  - "@Development tools"
  - libtiff-devel
  - libjpeg-devel
  - libzip-devel
  - freetype-devel
  - lcms2-devel
  - libwebp-devel
  - tcl-devel
  - tk-devel
  - redhat-rpm-config
  - python-virtualenv
  - libffi-devel
  - openssl-devel
  - postgresql-devel
  - libpqxx-devel.x86_64
 # Create separate LVM storage for matrix
 matrix_lvm_enabled: False
 # This variables are only necessary if matrix_lvm_enabled is 'True'
 # Set physical volumes to use in LVM
 # matrix_lvm_pvs: # ['/dev/sdb', '/dev/sdc']
 # matrix_lvm_vg:  # "vg_matrix"
 # matrix_lvm_lv: # "lv_matrix"
 # matrix_lvm_fstype: # ext4
 # matrix_lvm_size: # "50G"
 matrix_base_dir: "/opt/matrix"
 matrix_conf_dir: "{{ matrix_base_dir }}/config"
 matrix_base_url: http://localhost
 matrix_bind_ip: 127.0.0.1
 matrix_bind_port: 3000
 matrix_postgres_enabled: False
 matrix_postgres_tls_enabled: False
 matrix_postgres_server: postgres.example.com
 matrix_postgres_port: 5432
 matrix_postgres_superuser: postgres
 matrix_postgres_password: secure
 matrix_postgres_db:
  name: matrix
  lc_collate: en_US.UTF-8
  lc_ctype: en_US.UTF-8'
  encoding: UTF-8
  template: template0
  login_host: localhost
  login_user: "{{ matrix_postgres_superuser }}"
  login_password: "{{ matrix_postgres_password }}"
  # login_unix_socket: # defaults to not set
  port: "{{ matrix_postgres_port }}"
  # owner: # defaults to not set
  state: present
 matrix_postgres_user:
  name: pgmatrix
  password: matrix
  encrypted: 'yes'
  # priv: # defaults to not set
  # role_attr_flags: # defaults to not set
  db: "{{ matrix_postgres_db.name }}"
  login_host: localhost
  login_user: "{{ matrix_postgres_superuser }}"
  login_password: "{{ matrix_postgres_password }}"
  # login_unix_socket: # defaults to not set
  port: "{{ matrix_postgres_port }}"
  state: present
 matrix_iptables_enabled: False
 matrix_open_ports:
  - name: allow_matrix_web
    rules: |
      -A INPUT -m state --state NEW -p tcp --dport {{ matrix_bind_port }} -j ACCEPT
    state: present
 matrix_tls_cert_source: mycert.pem
 matrix_tls_key_source: mykey.pem
 matrix_nginx_vhost_enabled: False
 matrix_nginx_server: localhost
 matrix_nginx_vhost_dir: /etc/nginx/sites-available
 matrix_nginx_vhost_symlink: /etc/nginx/sites-enabled
 matrix_nginx_iptables_enabled: False
 matrix_nginx_tls_enabled: False
 matrix_nginx_tls_cert_file: matrix-cert.pem
 matrix_nginx_tls_key_file: matrix-key.pem
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,19 @@
 ---
 - name: Restart rocketchat service
  systemd:
    name: rocketchat
    state: restarted
    daemon_reload: yes
    enabled: yes
  listen: __rocketchat_restart
  become: True
  become_user: root
 - name: Reload nginx
  systemd:
    state: reloaded
    name: nginx
  listen: __nginx_reload
  delegate_to: "{{ rocketchat_nginx_server }}"
  become: True
  become_user: root
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,13 @@
 # Standards: 0.1
 ---
 galaxy_info:
  author: Robert Kaussow
  description:
  license: Robert Kaussow
  min_ansible_version: 2.6
  platforms:
    - name: EL
      versions:
        - 7
  galaxy_tags:
 dependencies: []
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,61 @@
 ---
 - name: Prepare base folders
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ matrix_user }}"
    group: "{{ matrix_user }}"
    mode: 0750
  loop:
    - "{{ matrix_base_dir }}"
    - "{{ matrix_conf_dir }}"
  become: True
  become_user: root
 - block:
    - name: Upgrade python dependencies
      pip:
        name: "{{ item }}"
        virtualenv: "{{ matrix_base_dir }}/env"
        virtualenv_command: virtualenv
        extra_args: --upgrade
      loop:
        - pip
        - setuptools
        - psycopg2
    - name: Install with pip and virtualenv
      pip:
        name: synapse
        version: "{{ matrix_version }}"
        virtualenv: "{{ matrix_base_dir }}/env"
        virtualenv_command: virtualenv
    - name: Copy global config files
      template:
        src: "opt/matrix/config/homeserver.yml.j2"
        dest: "{{ matrix_conf_dir }}/homeserver.yml"
      notify: __matrix_restart
  become: True
  become_user: "{{ matrix_user }}"
 - block:
    - name: Copy systemd unit file
      template:
        src: "etc/systemd/system/matrix.service.j2"
        dest: "/etc/systemd/system/matrix.service"
      notify: __matrix_restart
    - name: Open ports in iptables
      iptables_raw:
        name: "{{ item.name }}"
        rules: "{{ item.rules }}"
        state: "{{ item.state }}"
        weight: "{{ item.weight | default(omit) }}"
        table: "{{ item.table | default(omit) }}"
      with_items: "{{ matrix_open_ports }}"
      loop_control:
        label: "{{ item.name }}"
      when: matrix_iptables_enabled
  become: True
  become_user: root
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - include_tasks: prepare.yml
 - import_tasks: storage.yml
  when: matrix_lvm_enabled
 - include_tasks: install.yml
 - import_tasks: nginx.yml
  when: matrix_nginx_vhost_enabled
 - include_tasks: post_tasks.yml
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -0,0 +1,48 @@
 ---
 - block:
    - name: Copy certs and private key to nginx proxy
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      with_items:
        - { src: "{{ matrix_tls_key_source }}", dest: '/etc/pki/tls/private/{{ matrix_nginx_tls_key_file }}', mode: '0600' }
        - { src: "{{ matrix_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }}', mode: '0750' }
      loop_control:
        label: "{{ item.dest }}"
      notify: __nginx_reload
  delegate_to: "{{ matrix_nginx_server }}"
  when: matrix_nginx_tls_enabled
  become: True
  become_user: root
  tags: tls_renewal
 - block:
    - name: Add vhost configuration file
      template:
        src: nginx/vhost.j2
        dest: "{{ matrix_nginx_vhost_dir }}/matrix"
        owner: root
        group: root
        mode: 0640
      notify: __nginx_reload
    - name: Enable matrix vhost
      file:
        src: "{{ matrix_nginx_vhost_dir }}/matrix"
        dest: "{{ matrix_nginx_vhost_symlink }}/matrix"
        owner: root
        group: root
        state: link
      notify: __nginx_reload
      when: matrix_nginx_vhost_symlink is defined
    - name: Open ports in iptables
      iptables_raw:
        name: allow_matrix_nginx_proxy
        state: present
        rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ matrix_bind_ip }} --dport {{ matrix_bind_port }} -j ACCEPT'
      when: matrix_nginx_iptables_enabled
  delegate_to: "{{ matrix_nginx_server }}"
  become: True
  become_user: root
--- a/tasks/post_tasks.yml
+++ b/tasks/post_tasks.yml
@ -0,0 +1,9 @@
 ---
 - name: Ensure matrix service is up and running
  systemd:
    state: started
    daemon_reload: yes
    enabled: yes
    name: matrix
  become: True
  become_user: root
--- a/tasks/prepare.yml
+++ b/tasks/prepare.yml
@ -0,0 +1,60 @@
 ---
 - block:
    - name: Create group '{{ matrix_group }}'
      group:
        name: "{{ matrix_group }}"
        state: present
        gid: "{{ matrix_gid | default(omit) }}"
    - name: Create user '{{ matrix_user }}'
      user:
        comment: matrix
        name: "{{ matrix_user }}"
        home: "{{ matrix_user_home }}"
        uid: "{{ matrix_uid | default(omit) }}"
        group: "{{ matrix_group }}"
        groups: "{{ matrix_extra_groups | join(',') }}"
    - name: Install dependencies
      package:
        name: "{{ item }}"
        state: present
      loop: "{{ matrix_dependencies }}"
  become: True
  become_user: root
 - block:
    - name: Setup postgres db '{{ matrix_postgres_db.name }}'
      postgresql_db:
        name: "{{ matrix_postgres_db.name }}"
        lc_collate: "{{ matrix_postgres_db.lc_collate | default('en_US.UTF-8') }}"
        lc_ctype: "{{ matrix_postgres_db.lc_ctype | default('en_US.UTF-8') }}"
        encoding: "{{ matrix_postgres_db.encoding | default('UTF-8') }}"
        template: "{{ matrix_postgres_db.template | default('template0') }}"
        login_host: "{{ matrix_postgres_db.login_host | default('localhost') }}"
        login_password: "{{ matrix_postgres_db.login_password | default(omit) }}"
        login_user: "{{ matrix_postgres_db.login_user | default(postgresql_user) }}"
        login_unix_socket: "{{ matrix_postgres_db.login_unix_socket | default(omit) }}"
        port: "{{ matrix_postgres_db.port | default(omit) }}"
        owner: "{{ matrix_postgres_db.owner | default(omit) }}"
        state: "{{ matrix_postgres_db.state | default('present') }}"
      no_log: True
      when: matrix_postgres_db is defined
    - name: Setup postgres user '{{ matrix_postgres_user.name }}'
      postgresql_user:
        name: "{{ matrix_postgres_user.name }}"
        password: "{{ 'md5' + (matrix_postgres_user.password + matrix_postgres_user.name) | hash('md5') }}"
        encrypted: "{{ matrix_postgres_user.encrypted | default('yes') }}"
        priv: "{{ matrix_postgres_user.priv | default(omit) }}"
        role_attr_flags: "{{ matrix_postgres_user.role_attr_flags | default(omit) }}"
        db: "{{ matrix_postgres_user.db | default(omit) }}"
        login_host: "{{ matrix_postgres_user.login_host | default('localhost') }}"
        login_password: "{{ matrix_postgres_user.login_password | default(omit) }}"
        login_user: "{{ matrix_postgres_user.login_user | default(omit) }}"
        login_unix_socket: "{{ matrix_postgres_user.login_unix_socket | default(omit) }}"
        port: "{{ matrix_postgres_user.port | default(omit) }}"
        state: "{{ matrix_postgres_user.state | default('present') }}"
      no_log: True
      when: matrix_postgres_user is defined
  delegate_to: "{{ matrix_postgres_server }}"
--- a/tasks/storage.yml
+++ b/tasks/storage.yml
@ -0,0 +1,27 @@
 ---
 - block:
    - name: Create volume group '{{ matrix_lvm_vg }}'
      lvg:
        vg: "{{ matrix_lvm_vg }}"
        pvs: "{{ matrix_lvm_pvs | join(',') }}"
    - name: Create logical volume '{{ matrix_lvm_lv }}'
      lvol:
        vg: "{{ matrix_lvm_vg }}"
        lv: "{{ matrix_lvm_lv }}"
        size: "{{ matrix_lvm_size }}"
    - name: Create filesystem for '/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}'
      filesystem:
        fstype: "{{ matrix_lvm_fstype }}"
        dev: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}"
        resizefs: True
    - name: Mount volume to '{{ matrix_base_dir }}'
      mount:
        path: "{{ matrix_base_dir }}"
        src: "/dev/mapper/{{ matrix_lvm_vg }}-{{ matrix_lvm_lv }}"
        fstype: "{{ matrix_lvm_fstype }}"
        state: mounted
  become: True
  become_user: root
--- a/templates/etc/systemd/system/matrix.service.j2
+++ b/templates/etc/systemd/system/matrix.service.j2
@ -0,0 +1,19 @@
 #jinja2: lstrip_blocks: True
 ## {{ ansible_managed }}
 [Unit]
 Description=Matrix Synapse service
 After=network.target
 [Service]
 Type=forking
 WorkingDirectory=/opt/synapse/
 ExecStart=/opt/synapse/bin/synctl start
 ExecStop=/opt/synapse/bin/synctl stop
 ExecReload=/opt/synapse/bin/synctl restart
 Restart=always
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=synapse
 [Install]
 WantedBy=multi-user.target
--- a/templates/nginx/vhost.j2
+++ b/templates/nginx/vhost.j2
@ -0,0 +1,38 @@
 #jinja2: lstrip_blocks: True
 # {{ ansible_managed }}
 upstream backend_matrix {
    server {{ matrix_bind_ip }}:{{ matrix_bind_port }};
 }
 server {
    listen 80;
    server_name {{ matrix_base_url | urlsplit('hostname') }};
    client_max_body_size 200M;
    {% if matrix_nginx_tls_enabled %}
    return 301 https://$server_name$request_uri;
    {% else %}
    location / {
        proxy_pass http://backend_matrix;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
    {% endif %}
 }
 {% if matrix_nginx_tls_enabled %}
 server {
    listen 443 ssl;
    server_name {{ matrix_base_url | urlsplit('hostname') }};
    client_max_body_size 200M;
    location / {
        proxy_pass http://backend_matrix;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
    ssl_certificate /etc/pki/tls/certs/{{ matrix_nginx_tls_cert_file }};
    ssl_certificate_key /etc/pki/tls/private/{{ matrix_nginx_tls_key_file }};
 }
 {% endif %}
--- a/templates/opt/matrix/config/homeserver.yml.j2
+++ b/templates/opt/matrix/config/homeserver.yml.j2
@ -0,0 +1 @@
 ---