ungleich-public
/
cdist-ungleich
6
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
cdist-ungleich/type/__ungleich_matrix/manifest

261 lines
7.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh -e
#
# $CURSE spaces - I can't munch indentation in heredocs with them. Let's force
# tabs here! -- Timothée
# vi: noexpandtab
#
# 2020-2021 Timothée Floure (timothee.floure@ungleich.ch)
os=$(cat "$__global/explorer/os")
if [ "$os" != "debian" ]; then
echo "This type expects to run on Debian" >&2
exit 1
fi
###
# Type-level flags. Feel free to change them.
# Nginx and synapse maximum size for uploaded files.
export MAX_UPLOAD_SIZE=100M
# Default domain for Jitsi
JITSI_DOMAIN=talk.ungleich.ch
# (Source) address used by prometheus to fetch synapse metrics.
export PROMETHEUS_SOURCE_ADDRESS=2a0a:e5c0:2:12:0:f0ff:fea9:c461
# ungleich's privacy policy - displayed in element web client.
PRIVACY_POLICY_URL=https://redmine.ungleich.ch/projects/open-infrastructure/wiki/Security_and_Privacy_Policy
# SMTP server used to send Synapse's notifications.
SMTP_SERVER="smtp.ungleich.ch"
SMTP_SERVER_PORT="587"
###
# Type-parameters and generic configuration. You should not have to touch them.
# Type parameters.
matrix_domain=$(cat "$__object/parameter/matrix-domain")
synapse_domain=$(cat "$__object/parameter/synapse-domain")
if [ -f "$__object/parameter/element-domain" ]; then
element_domain=$(cat "$__object/parameter/element-domain")
deploy_element=1
fi
if [ -f "$__object/parameter/element-version" ]; then
element_version=$(cat "$__object/parameter/element-version")
fi
synapse_smtp_user=$(cat "$__object/parameter/synapse-smtp-user")
synapse_smtp_password=$(cat "$__object/parameter/synapse-smtp-password")
if [ -f "$__object/parameter/synapse-extra-parameters" ]; then
synapse_extra_parameters=$(cat "$__object/parameter/synapse-extra-parameters")
fi
if [ -f "$__object/parameter/element-extra-parameters" ]; then
element_extra_parameters=$(cat "$__object/parameter/element-extra-parameters")
fi
synapse_worker_mode=
if [ -f "$__object/parameter/synapse-worker-mode" ]; then
synapse_worker_mode='--worker-mode'
fi
if [ -f "$__object/parameter/sync-worker" ]; then
SYNC_WORKERS=$(cat "$__object/parameter/sync-worker")
export SYNC_WORKERS
fi
if [ -f "$__object/parameter/federation-worker" ]; then
FEDERATION_WORKERS=$(cat "$__object/parameter/federation-worker")
export FEDERATION_WORKERS
fi
if [ -f "$__object/parameter/client-worker" ]; then
CLIENT_WORKERS=$(cat "$__object/parameter/client-worker")
export CLIENT_WORKERS
fi
if [ -f "$__object/parameter/event-sending-worker" ]; then
EVENT_SENDING_WORKERS=$(cat "$__object/parameter/event-sending-worker")
export EVENT_SENDING_WORKERS
fi
if [ -f "$__object/parameter/register-worker" ]; then
REGISTER_WORKERS=$(cat "$__object/parameter/register-worker")
export REGISTER_WORKERS
fi
if [ -f "$__object/parameter/generic-worker" ]; then
GENERIC_WORKERS=$(cat "$__object/parameter/generic-worker")
export GENERIC_WORKERS
fi
# Generic configuration - shared with all ungleich Matrix deployments.
synapse_base_url="https://$synapse_domain"
postgres_user='matrix-synapse'
postgres_database='matrix-synapse'
# Required by the __ungleich_nginx_static_site type.
www_directory_owner=root
nginx_basedir='/var/www/static'
##
# Check for invalid parameter combinations.
if [ -n "$element_domain" ] && [ -z "$element_version" ]; then
echo "--element-version is required if --element-domain is set." >&2
exit 1
fi
if [ -z "$element_domain" ] && [ -n "$element_version" ]; then
echo "--element-domain is required if --element-version is set." >&2
exit 1
fi
##
# Deployment logic.
# Install & configure PGSQL database.
__package postgresql
require="__package/postgresql" __postgres_role $postgres_user --login
require="__postgres_role/$postgres_user" __postgres_database $postgres_user \
--owner $postgres_user \
--encoding UTF8 \
--lc-collate C \
--lc-ctype C \
--template template0
# Install & configure Synapse (matrix homeserver).
synapse_reqs=
if [ -n "$synapse_worker_mode" ]; then
__package redis
__package python3-hiredis
__package python3-pip
require="__package/python3-pip" __package_pip txredisapi
synapse_reqs="__package/python3-hiredis __package_pip/txredisapi \
__package/redis"
fi
# shellcheck disable=SC2086
require="$synapse_reqs" __matrix_synapse \
--server-name "$matrix_domain" \
--base-url "$synapse_base_url" \
--max-upload-size "$MAX_UPLOAD_SIZE" \
--expose-metrics \
--database-engine 'psycopg2' \
--database-name "$postgres_database" \
--database-user "$postgres_user" \
--database-host '/var/run/postgresql' \
--enable-notifications \
--notification-from "Matrix <$synapse_smtp_user>" \
--smtp-host "$SMTP_SERVER" \
--smtp-port "$SMTP_SERVER_PORT" \
--smtp-use-starttls \
--smtp-user "$synapse_smtp_user" \
--smtp-pass "$synapse_smtp_password" \
$synapse_worker_mode \
$synapse_extra_parameters
# Install and configure NGINX web server/proxy.
__package nginx
require="__package/nginx" __file /etc/nginx/conf.d/generic_worker.conf \
--mode 0644 \
--source "$__type/files/generic_worker.conf"
require="__package/nginx" __file /etc/nginx/conf.d/synapse-proxy.conf \
--mode 0644 \
--source "$__type/files/synapse-proxy.conf"
require="__package/nginx" __file /etc/nginx/sites-enabled/synapse-upstreams \
--mode 0644 \
--onchange "service nginx reload" \
--source - << EOF
$("$__type"/files/nginx-upstream-config.sh)
EOF
if [ -f "$__object/parameter/synapse-worker-mode" ]; then
require="__package/nginx __file/etc/nginx/sites-enabled/synapse-upstreams" \
__ungleich_nginx_vhost "$synapse_domain" \
--listen '443 [::]:443' \
--rules "$(cat << EOF
##worker
include /etc/nginx/conf.d/generic_worker.conf;
location ~* /_synapse/metrics {
proxy_pass http://localhost:9000;
include /etc/nginx/conf.d/synapse-proxy.conf;
}
##
location ~* ^(/_matrix|/_synapse) {
proxy_pass http://localhost:8008;
include /etc/nginx/conf.d/synapse-proxy.conf;
}
location / {
proxy_pass http://localhost:8008;
include /etc/nginx/conf.d/synapse-proxy.conf;
}
EOF
)"
else
require="__package/nginx __file/etc/nginx/sites-enabled/synapse-upstreams" \
__ungleich_nginx_static_site "$synapse_domain" \
--owner "$www_directory_owner" \
--listen '443 [::]:443' \
--base_directory "$nginx_basedir" \
--locationopt "$("$__type"/files/nginx-vhost-config.sh)"
fi
# Delegate Matrix federation to port 443 & configure server discovery from
# clients if matrix_domain is element_domain (= both are handled by this
# type).
element_nginx_config=
if [ "$element_domain" = "${matrix_domain:?}" ]; then
element_nginx_config="$(cat <<- EOF
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "${synapse_domain:?}:443"}';
}
location = /.well-known/matrix/client {
add_header 'Access-Control-Allow-Origin' '*';
default_type application/json;
return 200 '{
"m.homeserver": {
"base_url": "${synapse_base_url:?}"
},
"im.vector.riot.jitsi": {
"preferredDomain": "${JITSI_DOMAIN:?}"
}
}';
}
EOF
)"
fi
if [ -n "$deploy_element" ]; then
# Install & configure Element (matrix web client).
# shellcheck disable=SC2086
__matrix_element ungleich \
--install_dir "$nginx_basedir/$www_directory_owner/$element_domain/www" \
--default_server_url "$synapse_base_url" \
--default_server_name "$matrix_domain" \
--owner "$www_directory_owner" \
--version "$element_version" \
--jitsi_domain "$JITSI_DOMAIN" \
--privacy_policy_url "$PRIVACY_POLICY_URL" \
--disable_custom_urls \
--branding_auth_footer_links [] \
$element_extra_parameters
require="__package/nginx" \
__ungleich_nginx_static_site "$element_domain" \
--owner "$www_directory_owner" \
--listen '443 [::]:443' \
--base_directory "$nginx_basedir" \
--locationopt "$element_nginx_config"
fi
Reference in New Issue View Git Blame Copy Permalink