Add Matrix: Synapse Homeserver and Riot webclient

README.md

@@ -24,6 +24,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Mobile push notifications and autodiscovery via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
+-   [Matrix](https://matrix.org/) via [Riot.im](https://about.riot.im).
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [NextCloud](http://nextcloud.com/).
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
@@ -118,6 +119,7 @@ Create `A` or `CNAME` records which point to your server's IP address:
 * `news.example.com` (for Selfoss)
 * `cloud.example.com` (for NextCloud)
 * `git.example.com` (for gitea)
+* `matrix.example.com` (for riot)
 
 ### 6. Run the Ansible Playbooks
 

roles/common/files/letsencrypt-gencert

@@ -17,7 +17,7 @@ for domain in "$@"; do
   fi
 
   # subdomains - www.foo.com mail.foo.com ...
-  for sub in www mail autoconfig fathom news cloud git; do
+  for sub in www mail autoconfig fathom news cloud git matrix status; do
     # only add if the DNS entry for the subdomain does actually exist
     if (getent hosts $sub.$domain > /dev/null); then
       if [ -z "$d" ]; then

roles/matrix/defaults/main.yml

@@ -0,0 +1,25 @@
+matrix_subdomain: "matrix"
+matrix_domain: "{{ matrix_subdomain }}.{{ domain }}"
+
+riot_version: "1.0.3"
+riot_release: "https://github.com/vector-im/riot-web/releases/download/v{{ riot_version }}/riot-v{{ riot_version }}.tar.gz"
+
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+synapse_admin: "{{ admin_email }}"
+synapse_registration_secret: "{{ lookup('password', secret + '/' + 'synapse_registration_secret length=32 chars=ascii_letters,digits') }}"
+synapse_pw_pepper: "{{ lookup('password', secret + '/' + 'synapse_pw_pepper length=32 chars=ascii_letters,digits') }}"
+
+synapse_accounts:
+  - name: "{{ main_user_name }}"
+    password: "{{ lookup('password', secret + '/' + 'matrix_main_user_password length=32') }}"
+
+synapse_db_username: synapseuser
+synapse_db_password: "{{ lookup('password', secret + '/' + 'synapse_db_password length=32') }}"
+synapse_db_database: synapse
+
+# must match values in roles/common
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

roles/matrix/files/etc_letsencrypt_postrenew_synapse.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+systemctl restart matrix-synapse.service

roles/matrix/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart synapse
+  command: systemctl restart matrix-synapse
+
+- name: restart apache
+  service: name=apache2 state=restarted

roles/matrix/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# Provides the Synapse Matrix homeserver and the Riot.im client
+#
+- include: riot.yml tags=matrix
+- include: synapse.yml tags=matrix

roles/matrix/tasks/riot.yml

@@ -0,0 +1,28 @@
+- name: Create temporary Riot directory
+  file: state=directory path=/root/riot
+
+- name: Download Riot {{ riot_version }} release
+  get_url:
+    url="{{ riot_release }}"
+    dest=/root/riot/riot-{{ riot_version }}.tar.gz
+
+- name: Extract Riot archive
+  unarchive:
+    copy: no
+    src: /root/riot/riot-{{ riot_version }}.tar.gz
+    dest: /root/riot/
+    creates: /root/riot/riot-v{{ riot_version }}/index.html
+
+- name: Delete old Riot webroot directory
+  file: state=absent path=/var/www/riot
+
+- name: Configure Riot
+  template:
+    src=root_riot_config.j2
+    dest=/root/riot/riot-v{{ riot_version }}/config.json
+
+- name: Copy Riot to document root
+  shell: cp -r /root/riot/riot-v{{ riot_version }} /var/www/riot
+
+- name: Set Riot ownership
+  action: file owner=www-data group=www-data path=/var/www/riot recurse=yes state=directory

roles/matrix/tasks/synapse.yml

@@ -0,0 +1,104 @@
+- name: Ensure repository key for Synapse is in place
+  apt_key: url=https://matrix.org/packages/debian/repo-key.asc state=present
+  tags:
+    - dependencies
+
+- name: Add Synapse repository
+  apt_repository: repo="deb https://matrix.org/packages/debian/ {{ ansible_distribution_release }} main"
+  tags:
+    - dependencies
+
+- name: Install Synapse and dependencies from official repository
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - python-psycopg2
+    - matrix-synapse
+  tags:
+    - dependencies
+
+- name: Add Synapse user to ssl-cert group
+  user: name=matrix-synapse group=ssl-cert
+
+- name: Create Synapse data directory
+  file: state=directory path=/data/{{ item }} owner=matrix-synapse group=root
+  with_items:
+    - matrix-synapse
+    - matrix-synapse/uploads
+    - matrix-synapse/media
+
+- name: Configure Synapse homeserver
+  template:
+    src=etc_matrix-synapse_homeserver.j2
+    dest=/etc/matrix-synapse/homeserver.yaml
+    owner=matrix-synapse
+    group=root
+  notify: restart synapse
+
+- name: Configure Synapse server name
+  template:
+    src=etc_matrix-synapse_conf.d_server_name.j2
+    dest=/etc/matrix-synapse/conf.d/server_name.yaml
+    owner=matrix-synapse
+    group=root
+  notify: restart synapse
+
+- name: Add Synapse postgres user
+  postgresql_user:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ synapse_db_username }}
+    password="{{ synapse_db_password }}"
+    encrypted=yes
+    state=present
+
+- name: Create Synapse database
+  postgresql_db:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ synapse_db_database }}
+    state=present
+    owner={{ synapse_db_username }}
+    encoding='UTF8'
+    lc_collate='C'
+    lc_ctype='C'
+    template='template0'
+
+- name: Add cert postrenew task
+  copy: src=etc_letsencrypt_postrenew_synapse.sh dest=/etc/letsencrypt/postrenew/synapse.sh mode=0755
+
+- name: Set firewall rules for Synapse
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - 8448  # matrix federation
+  tags: ufw
+
+- name: Register new Synapse service
+  systemd: name=matrix-synapse daemon_reload=yes enabled=yes
+
+- name: Start new Synapse instance
+  service: name=matrix-synapse state=started
+
+- name: Create the Apache Matrix sites config files
+  template:
+    src=etc_apache2_sites-available_matrix.j2
+    dest=/etc/apache2/sites-available/matrix_{{ item.name }}.conf
+    owner=root
+    group=root
+  with_items: "{{ virtual_domains }}"
+  notify: restart apache
+
+- name: Enable Apache sites (creates new sites-enabled symlinks)
+  command: a2ensite matrix_{{ item }}.conf creates=/etc/apache2/sites-enabled/matrix_{{ item }}.conf
+  notify: restart apache
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"
+
+- name: Create Matrix / Synapse accounts
+  command: register_new_matrix_user -u {{ item.name }} -p {{ item.password }} -t support -a -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008
+  with_items: "{{ synapse_accounts }}"
+  ignore_errors: True

roles/matrix/templates/etc_apache2_sites-available_matrix.j2

@@ -0,0 +1,20 @@
+<VirtualHost *:80>
+    ServerName {{ matrix_subdomain }}.{{ item.name }}
+
+    Redirect permanent / https://{{ item.name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ matrix_subdomain }}.{{ item.name }}
+
+    SSLEngine               On
+    DocumentRoot            "/var/www/riot"
+    DirectoryIndex          index.html
+    Options                 -Indexes
+    HostnameLookups         Off
+
+    ProxyRequests           Off
+    ProxyPreserveHost       On
+    ProxyPass               /_matrix http://localhost:8008/_matrix nocanon
+    ProxyPassReverse        /_matrix http://localhost:8008/_matrix
+</VirtualHost>

roles/matrix/templates/etc_matrix-synapse_conf.d_server_name.j2

@@ -0,0 +1,9 @@
+# This file is autogenerated, and will be recreated on upgrade if it is deleted.
+# Any changes you make will be preserved.
+
+# The domain name of the server, with optional explicit port.
+# This is used by remote servers to connect to this server,
+# e.g. matrix.org, localhost:8080, etc.
+# This is also the last part of your UserID.
+#
+server_name: "{{ matrix_domain }}"

roles/matrix/templates/root_riot_config.j2

@@ -0,0 +1,36 @@
+{
+    "default_hs_url": "https://{{ matrix_domain }}",
+    "default_is_url": "https://matrix.org",
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Riot",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
+    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+    "features": {
+        "feature_groups": "labs",
+        "feature_pinning": "labs"
+    },
+    "default_federate": true,
+    "default_theme": "light",
+    "roomDirectory": {
+        "servers": [
+            "{{ matrix_domain }}",
+            "matrix.org"
+        ]
+    },
+    "welcomeUserId": "@riot-bot:matrix.org",
+    "piwik": {
+        "url": "https://piwik.riot.im/",
+        "whitelistedHSUrls": ["https://matrix.org"],
+        "whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
+        "siteId": 1
+    },
+    "enable_presence_by_hs_url": {
+        "{{ matrix_domain }}": true,
+        "https://matrix.org": false
+    }
+}

roles/monitoring/files/etc_monit_conf.d_matrix

@@ -0,0 +1,8 @@
+check process synapse matching /opt/venvs/matrix-synapse/bin/python
+  group social
+  start program = "/bin/systemctl start matrix-synapse"
+  stop program = "/bin/systemctl stop matrix-synapse"
+  if failed port 8448 type tcp
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/tasks/monit.yml

@@ -40,6 +40,10 @@
   stat: path=/etc/gitea/app.ini
   register: gitea_config_file
 
+- name: Determine if Synapse is installed
+  stat: path=/etc/matrix-synapse/homeserver.yaml
+  register: synapse_config_file
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -70,6 +74,11 @@
   notify: restart monit
   when: gitea_config_file.stat.exists == True
 
+- name: Copy Synapse monit service config files into place
+  copy: src=etc_monit_conf.d_matrix dest=/etc/monit/conf.d/matrix
+  notify: restart monit
+  when: synapse_config_file.stat.exists == True
+
 - name: Copy monit service config files into place
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
   with_items:

site.yml

@@ -16,5 +16,6 @@
     - gitea
     - ircbouncer
     - xmpp
+    - matrix
     - vpn
     - monitoring  # Monitoring role should be last. See roles/monitoring/README.md