[__ungleich_matrix] import from dot-cdist
This commit is contained in:
parent
4b7b9ab503
commit
e91afafeba
|
|
@ -0,0 +1,88 @@
|
|||
cdist-type__ungleich_matrix(7)
|
||||
==============================
|
||||
|
||||
NAME
|
||||
----
|
||||
cdist-type__ungleich_matrix - ungleich matrix enviroment
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
This type deploys a Matrix homeserver (synapse) and web client (element) on
|
||||
ungleich's infrastructure. This is a singleton type.
|
||||
|
||||
|
||||
REQUIRED PARAMETERS
|
||||
-------------------
|
||||
matrix-domain
|
||||
Name of your homeserver, as used in MXIDs (e.g. ungleich.ch).
|
||||
|
||||
synapse-domain
|
||||
Public address of the Matrix homeserver. This must be a domain name, as it is
|
||||
used to generate TLS certificates and configuration for the web server.
|
||||
|
||||
element-address
|
||||
Public address of the Element web client. This must be a domain name, as it is
|
||||
used to generate TLS certificates and configuration for the web server.
|
||||
|
||||
element-version
|
||||
Version of the Element client to be deployed.
|
||||
|
||||
synapse-smtp-user
|
||||
SMTP user to ungleich's mail infrastructure. Used by Synapse to send
|
||||
notifications over email.
|
||||
|
||||
synapse-smtp-password
|
||||
SMTP password to ungleich's mail infrastructure (see synapse-smtp-user).
|
||||
|
||||
synapse-smtp-password
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
synapse-extra-parameters
|
||||
Extra parameters passed to the `__matrix_synapse` type.
|
||||
|
||||
element-extra-parameters
|
||||
Extra parameters passed to the `__matrix_element` type.
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
None.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
||||
.. code-block:: sh
|
||||
|
||||
__ungleich_matrix \
|
||||
--matrix-domain matrix-staging.ungleich.ch \
|
||||
--synapse-domain staging.matrix.ungleich.cloud \
|
||||
--element-domain matrix-staging.ungleich.ch \
|
||||
--element-version "1.7.20" \
|
||||
--synapse-smtp-user "matrix@ungleich.ch" \
|
||||
--synapse-smtp-password "secret" \
|
||||
--synapse-extra-parameters " \
|
||||
--enable-ldap-auth \
|
||||
--ldap-uri ldaps://ldap1.ungleich.ch \
|
||||
--ldap-base-dn dc=ungleich,dc=ch \
|
||||
--ldap-bind-dn uid=matrix-synapse,ou=services,dc=ungleich,dc=ch \
|
||||
--ldap-bind-password secret"
|
||||
|
||||
SEE ALSO
|
||||
--------
|
||||
- `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
|
||||
- `cdist-type__matrix_element(7) <cdist-type__matrix_element.html>`_
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
Timothée Floure <timothee.floure@ungleich.ch>
|
||||
|
||||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2020 Timothée Floure. You can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public License as
|
||||
published by the Free Software Foundation, either version 3 of the
|
||||
License, or (at your option) any later version.
|
||||
|
|
@ -0,0 +1,183 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# $CURSE spaces - I can't munch indentation in heredocs with them. Let's force
|
||||
# tabs here! -- Timothée
|
||||
# vi: noexpandtab
|
||||
#
|
||||
# 2020-2021 Timothée Floure (timothee.floure@ungleich.ch)
|
||||
os=$(cat "$__global/explorer/os")
|
||||
if [ "$os" != "debian" ]; then
|
||||
echo "This type expects to run on Debian" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
###
|
||||
# Type-level flags. Feel free to change them.
|
||||
|
||||
# Nginx and synapse maximum size for uploaded files.
|
||||
MAX_UPLOAD_SIZE=100M
|
||||
|
||||
# Default domain for Jitsi
|
||||
JITSI_DOMAIN=talk.ungleich.ch
|
||||
|
||||
# (Source) address used by prometheus to fetch synapse metrics.
|
||||
PROMETHEUS_SOURCE_ADDRESS=2a0a:e5c0:2:12:0:f0ff:fea9:c461
|
||||
|
||||
# ungleich's privacy policy - displayed in element web client.
|
||||
PRIVACY_POLICY_URL=https://redmine.ungleich.ch/projects/open-infrastructure/wiki/Security_and_Privacy_Policy
|
||||
|
||||
# SMTP server used to send Synapse's notifications.
|
||||
SMTP_SERVER="smtp.ungleich.ch"
|
||||
SMTP_SERVER_PORT="587"
|
||||
|
||||
###
|
||||
# Type-parameters and generic configuration. You should not have to touch them.
|
||||
|
||||
# Type parameters.
|
||||
matrix_domain=$(cat "$__object/parameter/matrix-domain")
|
||||
element_domain=$(cat "$__object/parameter/element-domain")
|
||||
synapse_domain=$(cat "$__object/parameter/synapse-domain")
|
||||
element_version=$(cat "$__object/parameter/element-version")
|
||||
|
||||
synapse_smtp_user=$(cat "$__object/parameter/synapse-smtp-user")
|
||||
synapse_smtp_password=$(cat "$__object/parameter/synapse-smtp-password")
|
||||
|
||||
if [ -f "$__object/parameter/synapse-extra-parameters" ]; then
|
||||
synapse_extra_parameters=$(cat "$__object/parameter/synapse-extra-parameters")
|
||||
fi
|
||||
if [ -f "$__object/parameter/element-extra-parameters" ]; then
|
||||
element_extra_parameters=$(cat "$__object/parameter/element-extra-parameters")
|
||||
fi
|
||||
|
||||
# Generic configuration - shared with all ungleich Matrix deployments.
|
||||
synapse_base_url="https://$synapse_domain"
|
||||
|
||||
postgres_user='matrix-synapse'
|
||||
postgres_database='matrix-synapse'
|
||||
|
||||
# Required by the __ungleich_nginx_static_site type.
|
||||
www_directory_owner=root
|
||||
nginx_basedir='/var/www/static'
|
||||
|
||||
###
|
||||
# Deployment logic.
|
||||
|
||||
# Install & configure PGSQL database.
|
||||
__package postgresql
|
||||
require="__package/postgresql" __postgres_role $postgres_user --login
|
||||
require="__postgres_role/$postgres_user" __postgres_database $postgres_user \
|
||||
--owner $postgres_user \
|
||||
--encoding UTF8 \
|
||||
--lc-collate C \
|
||||
--lc-ctype C \
|
||||
--template template0
|
||||
|
||||
# Install & configure Synapse (matrix homeserver).
|
||||
# shellcheck disable=SC2086
|
||||
__matrix_synapse \
|
||||
--server-name "$matrix_domain" \
|
||||
--base-url "$synapse_base_url" \
|
||||
--max-upload-size "$MAX_UPLOAD_SIZE" \
|
||||
--expose-metrics \
|
||||
--database-engine 'psycopg2' \
|
||||
--database-name "$postgres_database" \
|
||||
--database-user "$postgres_user" \
|
||||
--database-host '/var/run/postgresql' \
|
||||
--enable-notifications \
|
||||
--smtp-host "$SMTP_SERVER" \
|
||||
--smtp-port "$SMTP_SERVER_PORT" \
|
||||
--smtp-use-starttls \
|
||||
--smtp-user "$synapse_smtp_user" \
|
||||
--smtp-pass "$synapse_smtp_password" \
|
||||
$synapse_extra_parameters
|
||||
|
||||
# Install & configure Element (matrix web client).
|
||||
# shellcheck disable=SC2086
|
||||
__matrix_element ungleich \
|
||||
--install_dir "$nginx_basedir/$www_directory_owner/$element_domain/www" \
|
||||
--default_server_url "$synapse_base_url" \
|
||||
--default_server_name "$matrix_domain" \
|
||||
--owner "$www_directory_owner" \
|
||||
--version "$element_version" \
|
||||
--jitsi_domain "$JITSI_DOMAIN" \
|
||||
--privacy_policy_url "$PRIVACY_POLICY_URL" \
|
||||
--disable_custom_urls \
|
||||
--branding_auth_footer_links [] \
|
||||
$element_extra_parameters
|
||||
|
||||
# Install and configure NGINX web server/proxy.
|
||||
__package nginx
|
||||
|
||||
synapse_nginx_config="$(cat << EOF
|
||||
# Deny access to root.
|
||||
deny all;
|
||||
|
||||
location ~ /_matrix|/_synapse {
|
||||
# Allow anyone to reach synapse.
|
||||
allow all;
|
||||
|
||||
# Allow uploading large files.
|
||||
client_max_body_size ${MAX_UPLOAD_SIZE:?};
|
||||
|
||||
# Proxy configuration.
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto \$scheme;
|
||||
proxy_set_header Host \$http_host;
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_pass http://localhost:8008;
|
||||
|
||||
location ~ /_synapse/metrics {
|
||||
# service-monitoring.p6 (monitoring LAN).
|
||||
allow $PROMETHEUS_SOURCE_ADDRESS;
|
||||
deny all;
|
||||
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto \$scheme;
|
||||
proxy_set_header Host \$http_host;
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_pass http://localhost:8008;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
)"
|
||||
|
||||
require="__matrix_synapse __package/nginx" \
|
||||
__ungleich_nginx_static_site "$synapse_domain" \
|
||||
--owner "$www_directory_owner" \
|
||||
--listen '443 [::]:443' \
|
||||
--base_directory "$nginx_basedir" \
|
||||
--locationopt "$synapse_nginx_config"
|
||||
|
||||
# Delegate Matrix federation to port 443 & configure server discovery from
|
||||
# clients if matrix_domain is element_domain (= both are handled by this
|
||||
# type).
|
||||
element_nginx_config=
|
||||
if [ "${element_domain:?}" = "${matrix_domain:?}" ]; then
|
||||
element_nginx_config="$(cat <<- EOF
|
||||
location = /.well-known/matrix/server {
|
||||
default_type application/json;
|
||||
return 200 '{"m.server": "${synapse_domain:?}:443"}';
|
||||
}
|
||||
|
||||
location = /.well-known/matrix/client {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
default_type application/json;
|
||||
return 200 '{
|
||||
"m.homeserver": {
|
||||
"base_url": "${synapse_base_url:?}"
|
||||
},
|
||||
"im.vector.riot.jitsi": {
|
||||
"preferredDomain": "${JITSI_DOMAIN:?}"
|
||||
}
|
||||
}';
|
||||
}
|
||||
EOF
|
||||
)"
|
||||
fi
|
||||
|
||||
require="__package/nginx" \
|
||||
__ungleich_nginx_static_site "$element_domain" \
|
||||
--owner "$www_directory_owner" \
|
||||
--listen '443 [::]:443' \
|
||||
--base_directory "$nginx_basedir" \
|
||||
--locationopt "$element_nginx_config"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
synapse-extra-parameters
|
||||
element-extra-parameters
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
matrix-domain
|
||||
element-domain
|
||||
synapse-domain
|
||||
element-version
|
||||
synapse-smtp-user
|
||||
synapse-smtp-password
|
||||
Loading…
Reference in New Issue