Add synapse to ansible

_ansible/node002.yml

@@ -11,6 +11,7 @@
     - homebox
     - influxdb
     - jellyfin
+    - synapse
     - tandoor
     - telegraf
     - tinytinyrss

_ansible/roles/synapse/files/msrg.cc.log.config

@@ -0,0 +1,22 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [console]
+
+disable_existing_loggers: false

_ansible/roles/synapse/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: Deploy {{ svc.name }}
+  tags:
+    - synapse
+    - matrix
+  block:
+    - import_tasks: prepare-common-service.yml
+
+    - name: Set synapse config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, svc.config_path) | path_join }}"
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (config_path, 'homeserver.yaml') | path_join }}"
+        mode: "0644"
+    
+    - name: Copy the log config
+      ansible.builtin.copy:
+        src: msrg.cc.log.config
+        dest: "{{ (config_path, 'msrg.cc.log.config') | path_join }}"
+        mode: '0644'
+
+    - name: Copy the signing key
+      ansible.builtin.copy:
+        content: "{{ vault_synapse.signing_key }}"
+        dest: "{{ (config_path, 'msrg.cc.signing.key') | path_join }}"
+        mode: '0644'
+
+    - import_tasks: start-common-service.yml

_ansible/roles/synapse/vars/main.yml

@@ -0,0 +1,125 @@
+svc:
+  name: synapse
+  domain: "matrix.msrg.cc"
+  docker_host: synapse-admin
+  port: 80
+  caddy_extra: |
+    handle /_matrix/* {
+        reverse_proxy synapse:8008
+    }
+    handle /_synapse/* {
+        reverse_proxy synapse:8008
+    }
+  extra_svcs:
+    - domain: "msrg.cc:8008"
+      additional_domains:
+        - matrix.msrg.cc:8448
+        - matrix.msrg.cc:8008
+        - msrg.cc:8448
+      docker_host: synapse
+      port: 8008
+  db:
+    host: "{{ postgres.host }}"
+    database: synapse
+    user: "{{ vault_synapse.db.user }}"
+    pass: "{{ vault_synapse.db.pass }}"
+  config_path: config
+
+svc_env:
+  SYNAPSE_CONFIG_PATH: "{{ ('/', svc.config_path) | path_join }}"
+  REACT_APP_SERVER: https://matrix.msrg.cc
+
+svc_yml:
+  server_name: "msrg.cc"
+  pid_file: "{{ (svc.config_path, 'homeserver.pid') | path_join }}"
+  public_baseurl: https://matrix.msrg.cc/
+  allow_public_rooms_without_auth: true
+  allow_public_rooms_over_federation: true
+
+  listeners:
+    - port: 8008
+      tls: false
+      type: http
+      x_forwarded: true
+      resources:
+        - names:
+          - client
+          - federation
+          - metrics
+          compress: false
+
+  admin_contact: "mailto:{{ admin_email }}"
+
+  acme:
+      enabled: false
+
+  database:
+   name: "psycopg2"
+   args:
+     user: "{{ svc.db.user }}"
+     password: "{{ svc.db.pass }}"
+     database: "{{ svc.db.database }}"
+     host: "{{ svc.db.host }}"
+     cp_min: 5
+     cp_max: 10
+
+  log_config: "{{ (svc.config_path, 'msrg.cc.log.config') | path_join }}"
+  media_store_path: "/media_store"
+  max_upload_size: 500M
+  enable_registration: false
+  enable_metrics: true
+  report_stats: true
+
+  macaroon_secret_key: "{{ vault_synapse.macaroon_secret_key }}"
+  form_secret: "{{ vault_synapse.form_secret }}"
+  signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
+
+  trusted_key_servers:
+    - server_name: "matrix.org"
+  suppress_key_server_warning: true
+
+  oidc_providers:
+    - idp_id: "auth_serguzim_me"
+      idp_name: "auth.serguzim.me"
+      issuer: "https://auth.serguzim.me/application/o/matrix_serguzim_me/"
+      client_id: "{{ vault_synapse.oidc_client.id }}"
+      client_secret: "{{ vault_synapse.oidc_client.secret }}"
+      scopes:
+        - "openid"
+        - "profile"
+        - "email"
+      user_mapping_provider:
+        config:
+          localpart_template: "{{ '{{ user.preferred_username }}' }}"
+          display_name_template: "{{ '{{ user.name }}' }}"
+
+  email:
+    smtp_host: mail.serguzim.me
+    smtp_port: 587
+    smtp_user: "matrix@serguzim.me"
+    smtp_pass: "{{ vault_synapse.mail.pass }}"
+    require_transport_security: true
+    notif_from: "Matrix <matrix@serguzim.me>"
+
+compose:
+  watchtower: true
+  env: true
+  image: ghcr.io/matrix-org/synapse
+  volumes:
+    - ./config:/config
+    - media_store:/media_store
+  file:
+    services:
+      synapse-admin:
+         image: awesometechnologies/synapse-admin
+         restart: always
+         labels:
+           com.centurylinklabs.watchtower.enable: true
+         env_file:
+           - service.env
+         networks:
+           apps:
+             aliases:
+               - synapse-admin
+    volumes:
+      media_store: