Configured synapse

ansible/roles/synapse/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart synapse
+  community.docker.docker_compose:
+    project_src: "{{ install_directory }}/{{ role_name }}"
+    restarted: true

ansible/roles/synapse/tasks/main.yml

@@ -0,0 +1,77 @@
+- name: Create service user
+  user:
+    name: "{{ role_name }}"
+    system: true
+  register: service_user
+  become: true
+
+- name: Create install directory
+  file:
+    path: "{{ install_directory }}/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Copy docker-compose file to destination
+  template:
+    src: docker-compose.yml
+    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+    validate: docker-compose -f %s config
+  become: true
+
+- name: Copy homeserver.yaml to destination
+  template:
+    src: homeserver.yaml
+    dest: "{{ install_directory }}/synapse/homeserver.yaml"
+    owner: "{{ service_user.uid }}"
+    mode: "{{ docker_compose_file_mask }}"
+  notify: restart synapse
+  become: true
+
+- name: Create config directory and set synapse user to owner
+  file:
+    path: "{{ data_dir }}/synapse"
+    state: directory
+    owner: "{{ service_user.uid }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Create nginx config directory
+  file:
+    path: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/"
+    state: directory
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install nginx config file
+  template:
+    src: nginx/matrix.conf
+    dest: "{{ data_dir }}/nginx/synapse/matrix.conf"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+  become: true
+
+- name: Install well known client file
+  template:
+    src: nginx/client.json
+    dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/client"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+  become: true
+
+- name: Install well known server file
+  template:
+    src: nginx/server.json
+    dest: "{{ data_dir }}/nginx/synapse/www/.well-known/matrix/server"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+  become: true
+
+- name: Start docker container
+  community.docker.docker_compose:
+    project_src: "{{ install_directory }}/{{ role_name }}"
+    pull: true
+    remove_orphans: yes

ansible/roles/synapse/templates/docker-compose.yml

@@ -0,0 +1,68 @@
+version: "{{ docker_compose_version }}"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  synapse:
+    container_name: "synapse"
+    image: matrixdotorg/synapse
+    restart: unless-stopped
+    depends_on:
+      - db
+    networks:
+      - traefik
+      - default
+    environment:
+      - "UID={{ service_user.uid }}"
+      - "GID={{ service_user.uid }}"
+      - "TZ={{ timezone }}"
+    volumes:
+      - "{{ data_dir }}/{{ role_name }}:/data"
+      - ./homeserver.yaml:/data/homeserver.yaml
+    labels:
+      traefik.enable: true
+      traefik.http.routers.synapse.rule: "Host(`matrix.{{ personal_domain }}`) || (Host(`{{ personal_domain }}`) && PathPrefix(`/_matrix/`))"
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    networks:
+      - default
+    environment:
+      - POSTGRES_USER=synapse
+      - POSTGRES_PASSWORD=synapse
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - "{{ data_dir }}/postgres/synapse:/var/lib/postgresql/data"
+
+  redis:
+    networks:
+      - default
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - "{{ data_dir }}/redis/synapse:/data"
+
+  admin:
+    image: awesometechnologies/synapse-admin:latest
+    restart: unless-stopped
+    networks:
+      - traefik
+    labels:
+      traefik.enable: true
+      traefik.http.routers.synapse-admin.rule: "Host(`synapse-admin.local.{{ personal_domain }}`)"
+      traefik.http.routers.synapse-admin.middlewares: lan-whitelist@file
+
+  nginx:
+    image: nginx:latest
+    restart: unless-stopped
+    networks:
+      - traefik
+    volumes:
+      - "{{ data_dir }}/nginx/synapse/matrix.conf:/etc/nginx/conf.d/matrix.conf"
+      - "{{ data_dir }}/nginx/synapse/www:/var/www"
+    labels:
+      traefik.enable: true
+      traefik.http.routers.matrix.rule: "Host(`{{ personal_domain }}`)"

ansible/roles/synapse/templates/homeserver.yaml

@@ -0,0 +1,39 @@
+server_name: "{{ personal_domain }}"
+pid_file: /data/homeserver.pid
+public_baseurl: "https://matrix.{{ personal_domain }}"
+
+acme:
+  enabled: false
+
+database:
+  name: psycopg2
+  args:
+    user: synapse
+    password: synapse
+    database: synapse
+    host: db
+
+redis:
+  enabled: true
+  host: redis
+  port: 6379
+
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+
+registration_shared_secret: "{{ synapse_registration_shared_secret }}"
+
+report_stats: true
+
+media_store_path: /data/media_store
+uploads_path: /data/uploads
+
+trusted_key_servers:
+  - server_name: matrix.org
+suppress_key_server_warning: true

ansible/roles/synapse/templates/nginx/client.json

@@ -0,0 +1,5 @@
+{
+  "m.homeserver": {
+    "base_url": "https://matrix.{{ personal_domain }}"
+  }
+}

ansible/roles/synapse/templates/nginx/matrix.conf

@@ -0,0 +1,17 @@
+server {
+  listen         80 default_server;
+  server_name    matrix.{{ personal_domain }};
+
+ # Traefik -> nginx -> synapse
+ location /_matrix {
+    proxy_pass http://synapse:8008;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    client_max_body_size 128m;
+  }
+
+  location /.well-known/matrix/ {
+    root /var/www/;
+    default_type application/json;
+    add_header Access-Control-Allow-Origin  *;
+  }
+}

ansible/roles/synapse/templates/nginx/server.json

@@ -0,0 +1,4 @@
+{
+  "m.server": "matrix.mjwilson.org:443"
+}
+

ansible/roles/synapse/vars/main.yml

@@ -0,0 +1,13 @@
+synapse_registration_shared_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65393839306334366466313761336630626238333832636161646464386333363363633562656232
+  3066613635656566656266616138323539366665313962340a366366383262353365326339633039
+  66646531313534336335666461656663376566626332633534303065646136623437313463616535
+  3466376465313533650a663639346638626634343536333030383763383563303738616135303135
+  33623766343365626139323238373765363162373066396361303636656264363337393232306530
+  35633363656164636535616435393131333634343764653535316238616631623563363266653262
+  36646261623832343232623064653436616365613539616262613937336138666462353139663363
+  30313237666630346638386132616331323930383638353365343439383166333365316539643731
+  36343636343434373466306237316163613363353063613261373135623037366537353065623961
+  63396132306132333162316165393463396136303161373064376237303137373766383632643965
+  383035353564306238663965653166336566