#!/bin/sh -e # # $CURSE spaces - I can't munch indentation in heredocs with them. Let's force # tabs here! -- Timothée # vi: noexpandtab # # 2020-2021 Timothée Floure (timothee.floure@ungleich.ch) os=$(cat "$__global/explorer/os") if [ "$os" != "debian" ]; then echo "This type expects to run on Debian" >&2 exit 1 fi ### # Type-level flags. Feel free to change them. # Nginx and synapse maximum size for uploaded files. export MAX_UPLOAD_SIZE=100M # Default domain for Jitsi JITSI_DOMAIN=talk.ungleich.ch # (Source) address used by prometheus to fetch synapse metrics. export PROMETHEUS_SOURCE_ADDRESS=2a0a:e5c0:2:12:0:f0ff:fea9:c461 # ungleich's privacy policy - displayed in element web client. PRIVACY_POLICY_URL=https://redmine.ungleich.ch/projects/open-infrastructure/wiki/Security_and_Privacy_Policy # SMTP server used to send Synapse's notifications. SMTP_SERVER="smtp.ungleich.ch" SMTP_SERVER_PORT="587" ### # Type-parameters and generic configuration. You should not have to touch them. # Type parameters. matrix_domain=$(cat "$__object/parameter/matrix-domain") synapse_domain=$(cat "$__object/parameter/synapse-domain") if [ -f "$__object/parameter/element-domain" ]; then element_domain=$(cat "$__object/parameter/element-domain") deploy_element=1 fi if [ -f "$__object/parameter/element-version" ]; then element_version=$(cat "$__object/parameter/element-version") fi synapse_smtp_user=$(cat "$__object/parameter/synapse-smtp-user") synapse_smtp_password=$(cat "$__object/parameter/synapse-smtp-password") if [ -f "$__object/parameter/synapse-extra-parameters" ]; then synapse_extra_parameters=$(cat "$__object/parameter/synapse-extra-parameters") fi if [ -f "$__object/parameter/element-extra-parameters" ]; then element_extra_parameters=$(cat "$__object/parameter/element-extra-parameters") fi synapse_worker_mode= if [ -f "$__object/parameter/synapse-worker-mode" ]; then synapse_worker_mode='--worker-mode' fi if [ -f "$__object/parameter/sync-worker" ]; then SYNC_WORKERS=$(cat "$__object/parameter/sync-worker") export SYNC_WORKERS fi if [ -f "$__object/parameter/federation-worker" ]; then FEDERATION_WORKERS=$(cat "$__object/parameter/federation-worker") export FEDERATION_WORKERS fi if [ -f "$__object/parameter/client-worker" ]; then CLIENT_WORKERS=$(cat "$__object/parameter/client-worker") export CLIENT_WORKERS fi if [ -f "$__object/parameter/event-sending-worker" ]; then EVENT_SENDING_WORKERS=$(cat "$__object/parameter/event-sending-worker") export EVENT_SENDING_WORKERS fi if [ -f "$__object/parameter/register-worker" ]; then REGISTER_WORKERS=$(cat "$__object/parameter/register-worker") export REGISTER_WORKERS fi if [ -f "$__object/parameter/generic-worker" ]; then GENERIC_WORKERS=$(cat "$__object/parameter/generic-worker") export GENERIC_WORKERS fi # Generic configuration - shared with all ungleich Matrix deployments. synapse_base_url="https://$synapse_domain" postgres_user='matrix-synapse' postgres_database='matrix-synapse' # Required by the __ungleich_nginx_static_site type. www_directory_owner=root nginx_basedir='/var/www/static' ## # Check for invalid parameter combinations. if [ -n "$element_domain" ] && [ -z "$element_version" ]; then echo "--element-version is required if --element-domain is set." >&2 exit 1 fi if [ -z "$element_domain" ] && [ -n "$element_version" ]; then echo "--element-domain is required if --element-version is set." >&2 exit 1 fi ## # Deployment logic. # Install & configure PGSQL database. __package postgresql require="__package/postgresql" __postgres_role $postgres_user --login require="__postgres_role/$postgres_user" __postgres_database $postgres_user \ --owner $postgres_user \ --encoding UTF8 \ --lc-collate C \ --lc-ctype C \ --template template0 # Install & configure Synapse (matrix homeserver). synapse_reqs= if [ -n "$synapse_worker_mode" ]; then __package redis __package python3-hiredis __package python3-pip require="__package/python3-pip" __package_pip txredisapi synapse_reqs="__package/python3-hiredis __package_pip/txredisapi \ __package/redis" fi # shellcheck disable=SC2086 require="$synapse_reqs" __matrix_synapse \ --server-name "$matrix_domain" \ --base-url "$synapse_base_url" \ --max-upload-size "$MAX_UPLOAD_SIZE" \ --expose-metrics \ --database-engine 'psycopg2' \ --database-name "$postgres_database" \ --database-user "$postgres_user" \ --database-host '/var/run/postgresql' \ --enable-notifications \ --notification-from "Matrix <$synapse_smtp_user>" \ --smtp-host "$SMTP_SERVER" \ --smtp-port "$SMTP_SERVER_PORT" \ --smtp-use-starttls \ --smtp-user "$synapse_smtp_user" \ --smtp-pass "$synapse_smtp_password" \ $synapse_worker_mode \ $synapse_extra_parameters # Install and configure NGINX web server/proxy. __package nginx require="__package/nginx" __file /etc/nginx/conf.d/generic_worker.conf \ --mode 0644 \ --source "$__type/files/generic_worker.conf" require="__package/nginx" __file /etc/nginx/conf.d/synapse-proxy.conf \ --mode 0644 \ --source "$__type/files/synapse-proxy.conf" require="__package/nginx" __file /etc/nginx/sites-enabled/synapse-upstreams \ --mode 0644 \ --onchange "service nginx reload" \ --source - << EOF $("$__type"/files/nginx-upstream-config.sh) EOF if [ -f "$__object/parameter/synapse-worker-mode" ]; then require="__package/nginx __file/etc/nginx/sites-enabled/synapse-upstreams" \ __ungleich_nginx_vhost "$synapse_domain" \ --listen '443 [::]:443' \ --rules "$(cat << EOF ##worker include /etc/nginx/conf.d/generic_worker.conf; location ~* /_synapse/metrics { proxy_pass http://localhost:9000; include /etc/nginx/conf.d/synapse-proxy.conf; } ## location ~* ^(/_matrix|/_synapse) { proxy_pass http://localhost:8008; include /etc/nginx/conf.d/synapse-proxy.conf; } location / { proxy_pass http://localhost:8008; include /etc/nginx/conf.d/synapse-proxy.conf; } EOF )" else require="__package/nginx __file/etc/nginx/sites-enabled/synapse-upstreams" \ __ungleich_nginx_static_site "$synapse_domain" \ --owner "$www_directory_owner" \ --listen '443 [::]:443' \ --base_directory "$nginx_basedir" \ --locationopt "$("$__type"/files/nginx-vhost-config.sh)" fi # Delegate Matrix federation to port 443 & configure server discovery from # clients if matrix_domain is element_domain (= both are handled by this # type). element_nginx_config= if [ "$element_domain" = "${matrix_domain:?}" ]; then element_nginx_config="$(cat <<- EOF location = /.well-known/matrix/server { default_type application/json; return 200 '{"m.server": "${synapse_domain:?}:443"}'; } location = /.well-known/matrix/client { add_header 'Access-Control-Allow-Origin' '*'; default_type application/json; return 200 '{ "m.homeserver": { "base_url": "${synapse_base_url:?}" }, "im.vector.riot.jitsi": { "preferredDomain": "${JITSI_DOMAIN:?}" } }'; } EOF )" fi if [ -n "$deploy_element" ]; then # Install & configure Element (matrix web client). # shellcheck disable=SC2086 __matrix_element ungleich \ --install_dir "$nginx_basedir/$www_directory_owner/$element_domain/www" \ --default_server_url "$synapse_base_url" \ --default_server_name "$matrix_domain" \ --owner "$www_directory_owner" \ --version "$element_version" \ --jitsi_domain "$JITSI_DOMAIN" \ --privacy_policy_url "$PRIVACY_POLICY_URL" \ --disable_custom_urls \ --branding_auth_footer_links [] \ $element_extra_parameters require="__package/nginx" \ __ungleich_nginx_static_site "$element_domain" \ --owner "$www_directory_owner" \ --listen '443 [::]:443' \ --base_directory "$nginx_basedir" \ --locationopt "$element_nginx_config" fi