diff --git a/matrix.yml b/matrix.yml index 8de4e15..8b8d2b9 100644 --- a/matrix.yml +++ b/matrix.yml @@ -11,8 +11,16 @@ state: directory mode: '0550' + - name: Create /home/docker/matrix.{{inventory_hostname}}/data dir + ansible.builtin.file: + path: /home/docker/matrix.{{inventory_hostname}}/data + owner: 3000 + group: 3000 + state: directory + mode: '0750' + - name: Gen initial passwords if not exists - ansible.builtin.shell: docker run --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=matrix.{{inventory_hostname}} -e SYNAPSE_HTTP_PORT=8008 -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate + ansible.builtin.shell: docker run --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=matrix.{{inventory_hostname}} -e SYNAPSE_HTTP_PORT=8008 -e SYNAPSE_REPORT_STATS=no -e UID=3000 -e GUID=3000 matrixdotorg/synapse:latest generate args: chdir: /home/docker/matrix.{{inventory_hostname}} creates: /home/docker/matrix.{{inventory_hostname}}/data/homeserver.yaml @@ -26,7 +34,7 @@ group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | - public_baseurl: https://matrix.{{inventory_hostname}}/ + public_baseurl: https://matrix-synapse.{{inventory_hostname}}/ enable_registration: false max_upload_size: 2048M retention: @@ -119,6 +127,61 @@ chdir: /home/docker/matrix.{{inventory_hostname}} creates: /home/docker/matrix.{{inventory_hostname}}/env + - name: /home/docker/matrix.{{inventory_hostname}}/nginx-matrix.conf + blockinfile: + path: /home/docker/matrix.{{inventory_hostname}}/nginx-matrix.conf + mode: "0444" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # Needed for federation while not using Port 8448 + server { + listen 80 default_server; + server_name matrix.{{inventory_hostname}}; + + location / { + proxy_pass http://matrix.{{inventory_hostname}}--synapse:8008; + proxy_set_header X-Forwarded-For $remote_addr; + client_max_body_size 2048m; + } + + location /.well-known/matrix/ { + root /var/www/; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + } + backup: yes + notify: Restart matrix + + - name: /home/docker/matrix.{{inventory_hostname}}/well-known/client + copy: + dest: /home/docker/matrix.{{inventory_hostname}}/well-known/client + mode: "0444" + owner: root + group: root + content: | + { + "m.homeserver": { + "base_url": "https://matrix.{{inventory_hostname}}" + } + } + backup: yes + + - name: /home/docker/matrix.{{inventory_hostname}}/well-known/server + copy: + dest: /home/docker/matrix.{{inventory_hostname}}/well-known/server + mode: "0444" + owner: root + group: root + content: | + { + "m.server": "matrix-synapse.defiant.dedyn.io:443" + } + backup: yes + - name: /home/docker/matrix.{{inventory_hostname}}/turnserver.conf blockinfile: path: /home/docker/matrix.{{inventory_hostname}}/turnserver.conf @@ -140,6 +203,7 @@ no-multicast-peers backup: yes + - name: Element Web configuration copy: dest: /home/docker/matrix.{{inventory_hostname}}/element-web-config.json @@ -211,6 +275,33 @@ version: '3.6' services: matrix.{{inventory_hostname}}: + image: "nginx:latest" + restart: unless-stopped + volumes: + - ./nginx-matrix.conf:/etc/nginx/conf.d/matrix.conf:ro + - ./well-known:/var/www/.well-known/matrix + depends_on: + - matrix.{{inventory_hostname}}--synapse + networks: + - matrix.{{inventory_hostname}}--network + - traefik + labels: + - traefik.enable=true + # HTTPS + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.rule=Host(`matrix.{{ ansible_facts['nodename'] }}`) + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.entrypoints=https + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls=true + # Proxy to service-port + - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80 + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.service=matrix-{{ ansible_facts['hostname'] }} + # cert via letsencrypt + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt + # Traefik network + - traefik.docker.network=traefik + # activate secHeaders@file and .well.known + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file + + matrix.{{inventory_hostname}}--synapse: image: docker.io/matrixdotorg/synapse:latest restart: unless-stopped user: 3000:3000 @@ -229,18 +320,18 @@ labels: - traefik.enable=true # HTTPS - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.rule=Host(`matrix.{{ ansible_facts['nodename'] }}`) - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.entrypoints=https - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls=true + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.rule=Host(`matrix-synapse.{{ ansible_facts['nodename'] }}`) + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.entrypoints=https + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.tls=true # Proxy to service-port - - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=8008 - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.service=matrix-{{ ansible_facts['hostname'] }} + - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}-synapse.loadbalancer.server.port=8008 + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.service=matrix-{{ ansible_facts['hostname'] }}-synapse # cert via letsencrypt - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.tls.certresolver=letsencrypt # Traefik network - traefik.docker.network=traefik # activate secHeaders@file and .well.known - - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file + - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.middlewares=secHeaders@file matrix.{{inventory_hostname}}--db: image: docker.io/postgres:latest @@ -283,7 +374,7 @@ - matrix.{{inventory_hostname}}--network - traefik environment: - - REACT_APP_SERVER=https://matrix.defiant.dedyn.io + - REACT_APP_SERVER=https://{{inventory_hostname}} labels: - traefik.enable=true # HTTPS @@ -408,14 +499,7 @@ port: '3479' proto: udp - - name: Port 8448 needed by matrix federation - community.general.ufw: - rule: allow - port: '8448' - proto: tcp - - - + handlers: - name: run genpw.sh ansible.builtin.shell: ./genpw.sh