[__ungleich_matrix] import from dot-cdist

2021-02-16 08:50:48 +01:00 · 2021-02-16 08:50:48 +01:00 · e91afafeba
commit e91afafeba
parent 4b7b9ab503
5 changed files with 279 additions and 0 deletions
--- a/type/__ungleich_matrix/man.rst
+++ b/type/__ungleich_matrix/man.rst
@ -0,0 +1,88 @@
+cdist-type__ungleich_matrix(7)
+==============================
+
+NAME
+----
+cdist-type__ungleich_matrix - ungleich matrix enviroment
+
+
+DESCRIPTION
+-----------
+This type deploys a Matrix homeserver (synapse) and web client (element) on
+ungleich's infrastructure. This is a singleton type.
+
+
+REQUIRED PARAMETERS
+-------------------
+matrix-domain
+  Name of your homeserver, as used in MXIDs (e.g. ungleich.ch).
+
+synapse-domain
+  Public address of the Matrix homeserver. This must be a domain name, as it is
+  used to generate TLS certificates and configuration for the web server.
+
+element-address
+  Public address of the Element web client. This must be a domain name, as it is
+  used to generate TLS certificates and configuration for the web server.
+
+element-version
+  Version of the Element client to be deployed.
+
+synapse-smtp-user
+  SMTP user to ungleich's mail infrastructure. Used by Synapse to send
+  notifications over email.
+
+synapse-smtp-password
+  SMTP password to ungleich's mail infrastructure (see synapse-smtp-user).
+
+synapse-smtp-password
+
+OPTIONAL PARAMETERS
+-------------------
+synapse-extra-parameters
+  Extra parameters passed to the `__matrix_synapse` type.
+
+element-extra-parameters
+  Extra parameters passed to the `__matrix_element` type.
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __ungleich_matrix \
+        --matrix-domain matrix-staging.ungleich.ch \
+        --synapse-domain staging.matrix.ungleich.cloud \
+        --element-domain matrix-staging.ungleich.ch \
+        --element-version "1.7.20" \
+        --synapse-smtp-user "matrix@ungleich.ch" \
+        --synapse-smtp-password "secret" \
+        --synapse-extra-parameters " \
+          --enable-ldap-auth \
+          --ldap-uri ldaps://ldap1.ungleich.ch \
+          --ldap-base-dn dc=ungleich,dc=ch \
+          --ldap-bind-dn uid=matrix-synapse,ou=services,dc=ungleich,dc=ch \
+          --ldap-bind-password secret"
+
+SEE ALSO
+--------
+- `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
+- `cdist-type__matrix_element(7) <cdist-type__matrix_element.html>`_
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
--- a/type/__ungleich_matrix/manifest
+++ b/type/__ungleich_matrix/manifest
@ -0,0 +1,183 @@
+#!/bin/sh -e
+#
+# $CURSE spaces - I can't munch indentation in heredocs with them. Let's force
+# tabs here! -- Timothée
+# vi: noexpandtab
+#
+# 2020-2021 Timothée Floure (timothee.floure@ungleich.ch)
+os=$(cat "$__global/explorer/os")
+if [ "$os" != "debian" ]; then
+	echo "This type expects to run on Debian" >&2
+	exit 1
+fi
+
+###
+# Type-level flags. Feel free to change them.
+
+# Nginx and synapse maximum size for uploaded files.
+MAX_UPLOAD_SIZE=100M
+
+# Default domain for Jitsi
+JITSI_DOMAIN=talk.ungleich.ch
+
+# (Source) address used by prometheus to fetch synapse metrics.
+PROMETHEUS_SOURCE_ADDRESS=2a0a:e5c0:2:12:0:f0ff:fea9:c461
+
+# ungleich's privacy policy - displayed in element web client.
+PRIVACY_POLICY_URL=https://redmine.ungleich.ch/projects/open-infrastructure/wiki/Security_and_Privacy_Policy
+
+# SMTP server used to send Synapse's notifications.
+SMTP_SERVER="smtp.ungleich.ch"
+SMTP_SERVER_PORT="587"
+
+###
+# Type-parameters and generic configuration. You should not have to touch them.
+
+# Type parameters.
+matrix_domain=$(cat "$__object/parameter/matrix-domain")
+element_domain=$(cat "$__object/parameter/element-domain")
+synapse_domain=$(cat "$__object/parameter/synapse-domain")
+element_version=$(cat "$__object/parameter/element-version")
+
+synapse_smtp_user=$(cat "$__object/parameter/synapse-smtp-user")
+synapse_smtp_password=$(cat "$__object/parameter/synapse-smtp-password")
+
+if [ -f "$__object/parameter/synapse-extra-parameters" ]; then
+	synapse_extra_parameters=$(cat "$__object/parameter/synapse-extra-parameters")
+fi
+if [ -f "$__object/parameter/element-extra-parameters" ]; then
+	element_extra_parameters=$(cat "$__object/parameter/element-extra-parameters")
+fi
+
+# Generic configuration - shared with all ungleich Matrix deployments.
+synapse_base_url="https://$synapse_domain"
+
+postgres_user='matrix-synapse'
+postgres_database='matrix-synapse'
+
+# Required by the __ungleich_nginx_static_site type.
+www_directory_owner=root
+nginx_basedir='/var/www/static'
+
+###
+# Deployment logic.
+
+# Install & configure PGSQL database.
+__package postgresql
+require="__package/postgresql" __postgres_role $postgres_user --login
+require="__postgres_role/$postgres_user" __postgres_database $postgres_user \
+	--owner $postgres_user \
+	--encoding UTF8 \
+	--lc-collate C \
+	--lc-ctype C \
+	--template template0
+
+# Install & configure Synapse (matrix homeserver).
+# shellcheck disable=SC2086
+__matrix_synapse \
+	--server-name "$matrix_domain" \
+	--base-url "$synapse_base_url" \
+	--max-upload-size "$MAX_UPLOAD_SIZE" \
+	--expose-metrics \
+	--database-engine 'psycopg2' \
+	--database-name "$postgres_database" \
+	--database-user "$postgres_user" \
+	--database-host '/var/run/postgresql' \
+	--enable-notifications \
+	--smtp-host "$SMTP_SERVER" \
+	--smtp-port "$SMTP_SERVER_PORT" \
+	--smtp-use-starttls \
+	--smtp-user "$synapse_smtp_user" \
+	--smtp-pass "$synapse_smtp_password" \
+	$synapse_extra_parameters
+
+# Install & configure Element (matrix web client).
+# shellcheck disable=SC2086
+__matrix_element ungleich \
+	--install_dir "$nginx_basedir/$www_directory_owner/$element_domain/www" \
+	--default_server_url "$synapse_base_url" \
+	--default_server_name "$matrix_domain" \
+	--owner "$www_directory_owner" \
+	--version "$element_version" \
+	--jitsi_domain "$JITSI_DOMAIN" \
+	--privacy_policy_url "$PRIVACY_POLICY_URL" \
+	--disable_custom_urls \
+	--branding_auth_footer_links [] \
+	$element_extra_parameters
+
+# Install and configure NGINX web server/proxy.
+__package nginx
+
+synapse_nginx_config="$(cat << EOF
+# Deny access to root.
+deny all;
+
+location ~ /_matrix|/_synapse {
+    # Allow anyone to reach synapse.
+    allow all;
+
+    # Allow uploading large files.
+    client_max_body_size ${MAX_UPLOAD_SIZE:?};
+
+    # Proxy configuration.
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_set_header Host \$http_host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_pass http://localhost:8008;
+
+    location ~ /_synapse/metrics {
+        # service-monitoring.p6 (monitoring LAN).
+        allow $PROMETHEUS_SOURCE_ADDRESS;
+        deny all;
+
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_set_header Host \$http_host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_pass http://localhost:8008;
+      }
+  }
+EOF
+)"
+
+require="__matrix_synapse __package/nginx" \
+	__ungleich_nginx_static_site "$synapse_domain" \
+	--owner "$www_directory_owner" \
+	--listen '443 [::]:443' \
+	--base_directory "$nginx_basedir" \
+	--locationopt "$synapse_nginx_config"
+
+# Delegate Matrix federation to port 443 & configure server discovery from
+# clients if matrix_domain is element_domain (= both are handled by this
+# type).
+element_nginx_config=
+if [ "${element_domain:?}" = "${matrix_domain:?}" ]; then
+	element_nginx_config="$(cat <<- EOF
+	location = /.well-known/matrix/server {
+		default_type application/json;
+		return 200 '{"m.server": "${synapse_domain:?}:443"}';
+	}
+
+	location = /.well-known/matrix/client {
+		add_header 'Access-Control-Allow-Origin' '*';
+		default_type application/json;
+		return 200 '{
+			"m.homeserver": {
+				"base_url": "${synapse_base_url:?}"
+			},
+			"im.vector.riot.jitsi": {
+				"preferredDomain": "${JITSI_DOMAIN:?}"
+			}
+		}';
+	}
+	EOF
+	)"
+fi
+
+require="__package/nginx" \
+	__ungleich_nginx_static_site "$element_domain" \
+	--owner "$www_directory_owner" \
+	--listen '443 [::]:443' \
+	--base_directory "$nginx_basedir" \
+	--locationopt "$element_nginx_config"
--- a/type/__ungleich_matrix/parameter/optional
+++ b/type/__ungleich_matrix/parameter/optional
@ -0,0 +1,2 @@
+synapse-extra-parameters
+element-extra-parameters
--- a/type/__ungleich_matrix/parameter/required
+++ b/type/__ungleich_matrix/parameter/required
@ -0,0 +1,6 @@
+matrix-domain
+element-domain
+synapse-domain
+element-version
+synapse-smtp-user
+synapse-smtp-password
--- a/type/__ungleich_matrix/singleton
+++ b/type/__ungleich_matrix/singleton