basic installation

matrix.yml

@@ -11,8 +11,16 @@
         state: directory
         mode: '0550'
 
+    - name: Create /home/docker/matrix.{{inventory_hostname}}/data dir
+      ansible.builtin.file:
+        path: /home/docker/matrix.{{inventory_hostname}}/data
+        owner: 3000
+        group: 3000
+        state: directory
+        mode: '0750'
+
     - name: Gen initial passwords if not exists
-      ansible.builtin.shell: docker run --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=matrix.{{inventory_hostname}} -e SYNAPSE_HTTP_PORT=8008 -e SYNAPSE_REPORT_STATS=no  matrixdotorg/synapse:latest generate
+      ansible.builtin.shell: docker run --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=matrix.{{inventory_hostname}} -e SYNAPSE_HTTP_PORT=8008 -e SYNAPSE_REPORT_STATS=no -e UID=3000 -e GUID=3000 matrixdotorg/synapse:latest generate
       args:
         chdir: /home/docker/matrix.{{inventory_hostname}}
         creates: /home/docker/matrix.{{inventory_hostname}}/data/homeserver.yaml
@@ -26,7 +34,7 @@
         group: docker
         marker: "# {mark} ANSIBLE MANAGED BLOCK"
         block: |
-          public_baseurl: https://matrix.{{inventory_hostname}}/
+          public_baseurl: https://matrix-synapse.{{inventory_hostname}}/
           enable_registration: false
           max_upload_size: 2048M
           retention:
@@ -119,6 +127,61 @@
         chdir: /home/docker/matrix.{{inventory_hostname}}
         creates: /home/docker/matrix.{{inventory_hostname}}/env
 
+    - name: /home/docker/matrix.{{inventory_hostname}}/nginx-matrix.conf
+      blockinfile:
+        path: /home/docker/matrix.{{inventory_hostname}}/nginx-matrix.conf
+        mode: "0444"
+        owner: root
+        group: root
+        create: yes
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          # Needed for federation while not using Port 8448
+          server {
+            listen         80 default_server;
+            server_name    matrix.{{inventory_hostname}};
+          
+            location / {
+              proxy_pass http://matrix.{{inventory_hostname}}--synapse:8008;
+              proxy_set_header X-Forwarded-For $remote_addr;
+              client_max_body_size 2048m;
+            }
+
+            location /.well-known/matrix/ {
+              root /var/www/;
+              default_type application/json;
+              add_header Access-Control-Allow-Origin  *;
+            }
+          }
+        backup: yes
+      notify: Restart matrix  
+
+    - name: /home/docker/matrix.{{inventory_hostname}}/well-known/client
+      copy:
+        dest: /home/docker/matrix.{{inventory_hostname}}/well-known/client
+        mode: "0444"
+        owner: root
+        group: root
+        content: |
+          {
+            "m.homeserver": {
+              "base_url": "https://matrix.{{inventory_hostname}}"
+             }
+          }
+        backup: yes
+
+    - name: /home/docker/matrix.{{inventory_hostname}}/well-known/server
+      copy:
+        dest: /home/docker/matrix.{{inventory_hostname}}/well-known/server
+        mode: "0444"
+        owner: root
+        group: root
+        content: |
+          {
+            "m.server": "matrix-synapse.defiant.dedyn.io:443"
+          }
+        backup: yes
+
     - name: /home/docker/matrix.{{inventory_hostname}}/turnserver.conf
       blockinfile:
         path: /home/docker/matrix.{{inventory_hostname}}/turnserver.conf
@@ -140,6 +203,7 @@
           no-multicast-peers
         backup: yes
 
+
     - name: Element Web configuration
       copy: 
         dest: /home/docker/matrix.{{inventory_hostname}}/element-web-config.json
@@ -211,6 +275,33 @@
           version: '3.6'
           services:
             matrix.{{inventory_hostname}}:
+              image: "nginx:latest"
+              restart: unless-stopped
+              volumes:
+                - ./nginx-matrix.conf:/etc/nginx/conf.d/matrix.conf:ro
+                - ./well-known:/var/www/.well-known/matrix
+              depends_on:
+                - matrix.{{inventory_hostname}}--synapse
+              networks:
+                - matrix.{{inventory_hostname}}--network
+                - traefik
+              labels:
+                - traefik.enable=true
+                # HTTPS
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.rule=Host(`matrix.{{ ansible_facts['nodename'] }}`)
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.entrypoints=https
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls=true
+                # Proxy to service-port
+                - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=80
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.service=matrix-{{ ansible_facts['hostname'] }}
+                # cert via letsencrypt
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt
+                # Traefik network
+                - traefik.docker.network=traefik
+                # activate secHeaders@file and .well.known
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file
+
+            matrix.{{inventory_hostname}}--synapse:
               image: docker.io/matrixdotorg/synapse:latest
               restart: unless-stopped
               user: 3000:3000
@@ -229,18 +320,18 @@
               labels:
                 - traefik.enable=true
                 # HTTPS
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.rule=Host(`matrix.{{ ansible_facts['nodename'] }}`)
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.rule=Host(`matrix-synapse.{{ ansible_facts['nodename'] }}`)
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.entrypoints=https
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.entrypoints=https
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls=true
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.tls=true
                 # Proxy to service-port
-                - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=8008
+                - traefik.http.services.matrix-{{ ansible_facts['hostname'] }}-synapse.loadbalancer.server.port=8008
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.service=matrix-{{ ansible_facts['hostname'] }}
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.service=matrix-{{ ansible_facts['hostname'] }}-synapse
                 # cert via letsencrypt
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.tls.certresolver=letsencrypt
                 # Traefik network
                 - traefik.docker.network=traefik
                 # activate secHeaders@file and .well.known
-                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file
+                - traefik.http.routers.matrix-{{ ansible_facts['hostname'] }}-synapse.middlewares=secHeaders@file
           
             matrix.{{inventory_hostname}}--db:
               image: docker.io/postgres:latest
@@ -283,7 +374,7 @@
                 - matrix.{{inventory_hostname}}--network
                 - traefik
               environment:
-                - REACT_APP_SERVER=https://matrix.defiant.dedyn.io
+                - REACT_APP_SERVER=https://{{inventory_hostname}}
               labels:
                 - traefik.enable=true
                 # HTTPS
@@ -408,14 +499,7 @@
         port: '3479'
         proto: udp
 
-    - name: Port 8448 needed by matrix federation
+  
-      community.general.ufw:
-        rule: allow
-        port: '8448'
-        proto: tcp
-
-
-
   handlers:
     - name: run genpw.sh
       ansible.builtin.shell: ./genpw.sh