From 9a0222fa4742054338778037909f8fa5dc35e10f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Mar 2021 13:31:34 +0200 Subject: [PATCH] Add Sygnal support Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683 --- CHANGELOG.md | 12 + README.md | 2 + docs/configuring-dns.md | 3 + docs/configuring-playbook-sygnal.md | 71 +++++ docs/configuring-playbook.md | 5 + docs/container-images.md | 2 + group_vars/matrix_servers | 35 +++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-nginx-proxy/defaults/main.yml | 7 + .../tasks/setup_nginx_proxy.yml | 13 + .../nginx/conf.d/matrix-sygnal.conf.j2 | 79 +++++ roles/matrix-sygnal/defaults/main.yml | 95 ++++++ roles/matrix-sygnal/tasks/init.yml | 3 + roles/matrix-sygnal/tasks/main.yml | 21 ++ roles/matrix-sygnal/tasks/setup_install.yml | 73 +++++ roles/matrix-sygnal/tasks/setup_uninstall.yml | 35 +++ roles/matrix-sygnal/tasks/validate_config.yml | 7 + roles/matrix-sygnal/templates/sygnal.yaml.j2 | 288 ++++++++++++++++++ .../systemd/matrix-sygnal.service.j2 | 42 +++ setup.yml | 1 + 20 files changed, 797 insertions(+) create mode 100644 docs/configuring-playbook-sygnal.md create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 create mode 100644 roles/matrix-sygnal/defaults/main.yml create mode 100644 roles/matrix-sygnal/tasks/init.yml create mode 100644 roles/matrix-sygnal/tasks/main.yml create mode 100644 roles/matrix-sygnal/tasks/setup_install.yml create mode 100644 roles/matrix-sygnal/tasks/setup_uninstall.yml create mode 100644 roles/matrix-sygnal/tasks/validate_config.yml create mode 100644 roles/matrix-sygnal/templates/sygnal.yaml.j2 create mode 100644 roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index aeff7b0ca..36790dce8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ + +# 2021-03-20 + +## Sygnal push gateway support + +The playbook can now install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you. + +This is only useful to people who develop/build their own Matrix client applications. + +Additional details are available in our [Setting up Sygnal](docs/configuring-playbook-sygnal.md) docs. + + # 2021-03-16 ## Go-NEB support diff --git a/README.md b/README.md index dde8d924a..9a2726871 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation +- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index a3815953b..82bef8a2d 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -35,6 +35,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | +| CNAME | `sygnal` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -51,6 +52,8 @@ The `stats.` subdomain may be necessary, because this playbook coul The `goneb.` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.` DNS record. +The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md new file mode 100644 index 000000000..b8dc11f0d --- /dev/null +++ b/docs/configuring-playbook-sygnal.md @@ -0,0 +1,71 @@ +# Setting up Sygnal (optional) + +The playbook can install and configure the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you. + +See the project's [documentation](https://github.com/matrix-org/sygnal) to learn what it does and why it might be useful to you. + +**Note**: most people don't need to install their own gateway. As Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) documentation says: + +> It is not feasible to allow end-users to configure their own Sygnal instance, because the Sygnal instance needs the appropriate FCM or APNs secrets that belong to the application. + +This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_sygnal_enabled: true + +# You need at least 1 app defined. +# The configuration below is incomplete. Read more below. +matrix_sygnal_apps: + com.example.myapp.ios: + type: apns + keyfile: /data/my_key.p8 + # .. more configuration .. + com.example.myapp.android: + type: gcm + api_key: your_api_key_for_gcm + # .. more configuration .. + +matrix_aux_file_definitions: + - dest: "{{ matrix_sygnal_data_path }}/my_key.p8" + content: | + some + content + here + mode: '0600' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" +``` + +For a more complete example of available fields and values they can take, see `roles/matrix-sygnal/templates/sygnal.yaml.j2` (or the [upstream `sygnal.yaml.sample` configuration file](https://github.com/matrix-org/sygnal/blob/master/sygnal.yaml.sample)). + +Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values. + +To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files. +To do that, the above example configuration: + +- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`. + +- references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container) + + +## Installing + +Don't forget to add `sygnal.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server. + +Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index a25f85854..721735d53 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -132,3 +132,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional) - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional) + + +### Other specialized services + +- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 5bccc2d49..ee9cbd3ca 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -97,3 +97,5 @@ These services are not part of our default installation, but can be enabled by [ - [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics - [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards) + +- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9cc6ad0e..a6c433cb1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1095,6 +1095,7 @@ matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -1169,6 +1170,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) + + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + matrix_ssl_additional_domains_to_obtain_certificates_for @@ -1341,6 +1344,12 @@ matrix_postgres_additional_databases: | 'username': matrix_etherpad_database_username, 'password': matrix_etherpad_database_password, }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_sygnal_database_name, + 'username': matrix_sygnal_database_username, + 'password': matrix_sygnal_database_password, + }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) }} matrix_postgres_import_roles_to_ignore: | @@ -1365,6 +1374,32 @@ matrix_postgres_import_databases_to_ignore: | +###################################################################### +# +# matrix-sygnal +# +###################################################################### + +# Most people don't need their own push-server, because they also need their own app to utilize it from. +matrix_sygnal_enabled: false + +# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. +matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" + +matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}" + +###################################################################### +# +# /matrix-sygnal +# +###################################################################### + + + ###################################################################### # # matrix-redis diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 5f1cf433e..d1d3bf27e 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -27,6 +27,9 @@ matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" # This is where you access Grafana. matrix_server_fqn_grafana: "stats.{{ matrix_domain }}" +# This is where you access the Sygnal push gateway. +matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The architecture that your server runs. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index c1538c75a..3770bfb1e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -133,6 +133,10 @@ matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" matrix_nginx_proxy_proxy_grafana_enabled: false matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" +# Controls whether proxying the sygnal domain should be done. +matrix_nginx_proxy_proxy_sygnal_enabled: false +matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -250,6 +254,9 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). +matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index c7e15c95c..7534d28c6 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -100,6 +100,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_grafana_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_sygnal_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for Matrix domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" @@ -221,6 +228,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool" + - name: Ensure Matrix nginx-proxy homepage for base domain deleted file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 new file mode 100644 index 000000000..e47126578 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -0,0 +1,79 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; +{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-sygnal:6000"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:6000; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml new file mode 100644 index 000000000..50e0e26e7 --- /dev/null +++ b/roles/matrix-sygnal/defaults/main.yml @@ -0,0 +1,95 @@ +# Sygnal is a reference Push Gateway for Matrix. +# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. +# Learn more here: https://github.com/matrix-org/sygnal +matrix_sygnal_enabled: false + +matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" +matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" +matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" + +matrix_sygnal_version: v0.9.0 +matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# List of systemd services that matrix-sygnal.service depends on. +matrix_sygnal_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-sygnal.service wants +matrix_sygnal_systemd_wanted_services_list: [] + +# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. +matrix_sygnal_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_sygnal_container_extra_arguments: [] + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_sygnal_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables +matrix_sygnal_database_engine: 'sqlite' + +matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db" +matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db" + +matrix_sygnal_database_username: 'matrix_sygnal' +matrix_sygnal_database_password: 'some-password' +matrix_sygnal_database_hostname: 'matrix-postgres' +matrix_sygnal_database_port: 5432 +matrix_sygnal_database_name: 'matrix_sygnal' + +matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}' + +# A map (dictionary) of apps instances that this server works with. +# +# Example configuration: +# +# matrix_sygnal_apps: +# com.example.myapp.ios: +# type: apns +# # .. more configuration .. +# com.example.myapp.android: +# type: gcm +# api_key: your_api_key_for_gcm +# # .. more configuration .. +# +# The APNS configuration needs to reference some certificate files. +# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container. +# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`). +# To install these files via the playbook, one can use the `matrix-aux` role. +# Examples and more details are available in `docs/configuring-playbook-sygnal.md`. +matrix_sygnal_apps: [] + +matrix_sygnal_metrics_prometheus_enabled: false + +# Default Sygnal configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}" + +matrix_sygnal_configuration_extension_yaml: | + # Your custom YAML configuration for Sygnal goes here. + # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_sygnal_configuration_yaml`. + # + # Example configuration extension follows: + # metrics: + # opentracing: + # enabled: true + +matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final sygnal configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`. +matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-sygnal/tasks/init.yml b/roles/matrix-sygnal/tasks/init.yml new file mode 100644 index 000000000..559a3681d --- /dev/null +++ b/roles/matrix-sygnal/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" + when: matrix_sygnal_enabled|bool diff --git a/roles/matrix-sygnal/tasks/main.yml b/roles/matrix-sygnal/tasks/main.yml new file mode 100644 index 000000000..c00862a4b --- /dev/null +++ b/roles/matrix-sygnal/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal diff --git a/roles/matrix-sygnal/tasks/setup_install.yml b/roles/matrix-sygnal/tasks/setup_install.yml new file mode 100644 index 000000000..afac61c48 --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_install.yml @@ -0,0 +1,73 @@ +--- + +- set_fact: + matrix_sygnal_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_sygnal_sqlite_database_path_local }}" + register: matrix_sygnal_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_sygnal_sqlite_database_path_local }}" + dst: "{{ matrix_sygnal_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_sygnal_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-sygnal.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_sygnal_requires_restart: true + when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_sygnal_database_engine == 'postgres'" + +- name: Ensure Sygnal image is pulled + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + +- name: Ensure Sygnal paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_sygnal_base_path }}" + - "{{ matrix_sygnal_config_path }}" + - "{{ matrix_sygnal_data_path }}" + +- name: Ensure Sygnal config installed + copy: + content: "{{ matrix_sygnal_configuration|to_nice_yaml }}" + dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sygnal.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sygnal.service" + mode: 0644 + register: matrix_sygnal_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sygnal.service installation + service: + daemon_reload: yes + when: "matrix_sygnal_systemd_service_result.changed|bool" + +- name: Ensure matrix-sygnal.service restarted, if necessary + service: + name: "matrix-sygnal.service" + state: restarted + when: "matrix_sygnal_requires_restart|bool" diff --git a/roles/matrix-sygnal/tasks/setup_uninstall.yml b/roles/matrix-sygnal/tasks/setup_uninstall.yml new file mode 100644 index 000000000..dc50078ca --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-sygnal service + stat: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + register: matrix_sygnal_service_stat + +- name: Ensure matrix-sygnal is stopped + service: + name: matrix-sygnal + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure matrix-sygnal.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + state: absent + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-sygnal.service removal + service: + daemon_reload: yes + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure Sygnal base directory doesn't exist + file: + path: "{{ matrix_sygnal_base_path }}" + state: absent + +- name: Ensure Sygnal Docker image doesn't exist + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + state: absent diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml new file mode 100644 index 000000000..c503e47bf --- /dev/null +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -0,0 +1,7 @@ +- name: Fail if no Sygnal apps defined + fail: + msg: >- + Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` + with_items: + - "matrix_sygnal_access_token" + when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" diff --git a/roles/matrix-sygnal/templates/sygnal.yaml.j2 b/roles/matrix-sygnal/templates/sygnal.yaml.j2 new file mode 100644 index 000000000..bb8c521d9 --- /dev/null +++ b/roles/matrix-sygnal/templates/sygnal.yaml.j2 @@ -0,0 +1,288 @@ +## +# This is a configuration for Sygnal, the reference Push Gateway for Matrix +# See: matrix.org +## + +# The 'database' setting defines the database that sygnal uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# dbfile: /path/to/database.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# args: +# host: localhost +# database: sygnal +# user: sygnal +# password: pass +# cp_min: 1 +# cp_max: 5 +# +{% if matrix_sygnal_database_engine == 'sqlite' %} +database: + name: sqlite3 + args: + dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }} +{% else %} +database: + name: psycopg2 + args: + host: {{ matrix_sygnal_database_hostname|to_json }} + database: {{ matrix_sygnal_database_name|to_json }} + user: {{ matrix_sygnal_database_username|to_json }} + password: {{ matrix_sygnal_database_password|to_json }} + cp_min: 1 + cp_max: 5 +{% endif %} + +## Logging # +# +log: + # Specify a Python logging 'dictConfig', as described at: + # https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig + # + setup: + version: 1 + formatters: + normal: + format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s" + handlers: + # This handler prints to Standard Error + # + stderr: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stderr" + + # This handler prints to Standard Output. + # + stdout: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stdout" + + # This handler demonstrates logging to a text file on the filesystem. + # You can use logrotate(8) to perform log rotation. + # + #file: + # class: "logging.handlers.WatchedFileHandler" + # formatter: "normal" + # filename: "./sygnal.log" + loggers: + # sygnal.access contains the access logging lines. + # Comment out this section if you don't want to give access logging + # any special treatment. + # + sygnal.access: + propagate: false + handlers: ["stdout"] + level: "INFO" + + # sygnal contains log lines from Sygnal itself. + # You can comment out this section to fall back to the root logger. + # + sygnal: + propagate: false + handlers: ["stderr"] + + root: + # Specify the handler(s) to send log messages to. + handlers: ["stderr"] + level: "INFO" + + disable_existing_loggers: false + + + access: + # Specify whether or not to trust the IP address in the `X-Forwarded-For` + # header. In general, you want to enable this if and only if you are using a + # reverse proxy which is configured to emit it. + # + x_forwarded_for: true + +## HTTP Server (Matrix Push Gateway API) # +# +http: + # Specify a list of interface addresses to bind to. + # + # This example listens on the IPv4 loopback device: + #bind_addresses: ['127.0.0.1'] + # This example listens on all IPv4 interfaces: + #bind_addresses: ['0.0.0.0'] + # This example listens on all IPv4 and IPv6 interfaces: + #bind_addresses: ['0.0.0.0', '::'] + bind_addresses: ['::'] + + # Specify the port number to listen on. + # + port: 6000 + +## Proxying for outgoing connections # +# +# Specify the URL of a proxy to use for outgoing traffic +# (e.g. to Apple & Google) if desired. +# Currently only HTTP proxies with CONNECT capability are supported. +# +# If you do not specify a value, the `HTTPS_PROXY` environment variable will +# be used if present. Otherwise, no proxy will be used. +# +# Default is unspecified. +# +#proxy: 'http://user:secret@prox:8080' + +## Metrics # +# +metrics: + ## Prometheus # + # + prometheus: + # Specify whether or not to enable Prometheus. + # + enabled: false + + # Specify an address for the Prometheus HTTP Server to listen on. + # + address: '0.0.0.0' + + # Specify a port for the Prometheus HTTP Server to listen on. + # + port: 8000 + + ## OpenTracing # + # + opentracing: + # Specify whether or not to enable OpenTracing. + # + enabled: false + + # Specify an implementation of OpenTracing to use. Currently only 'jaeger' + # is supported. + # + implementation: jaeger + + # Specify the service name to be reported to the tracer. + # + service_name: sygnal + + # Specify configuration values to pass to jaeger_client. + # + jaeger: + sampler: + type: 'const' + param: 1 +# local_agent: +# reporting_host: '127.0.0.1' +# reporting_port: + logging: true + + ## Sentry # + # + sentry: + # Specify whether or not to enable Sentry. + # + enabled: false + + # Specify your Sentry DSN if you enable Sentry + # + #dsn: "https://@sentry.example.org/" + +## Pushkins/Apps # +# +# Add a section for every push application here. +# Specify the pushkey for the application and also the type. +# For the type, you may specify a fully-qualified Python classname if desired. +# +#apps: + # This is an example APNs push configuration + # + #com.example.myapp.ios: + # type: apns + # + # # Authentication + # # + # # Two methods of authentication to APNs are currently supported. + # # + # # You can authenticate using a key: + # keyfile: my_key.p8 + # key_id: MY_KEY_ID + # team_id: MY_TEAM_ID + # topic: MY_TOPIC + # + # # Or, a certificate can be used instead: + # certfile: com.example.myApp_prod_APNS.pem + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # Specifies whether to use the production or sandbox APNs server. Note that + # # sandbox tokens should only be used with the sandbox server and vice versa. + # # + # # Valid options are: + # # * production + # # * sandbox + # # + # # The default is 'production'. Uncomment to use the sandbox instance. + # #platform: sandbox + + # This is an example GCM/FCM push configuration. + # + #com.example.myapp.android: + # type: gcm + # api_key: your_api_key_for_gcm + # + # # This is the maximum number of connections to GCM servers at any one time + # # the default is 20. + # #max_connections: 20 + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # This allows you to specify additional options to send to Firebase. + # # + # # Of particular interest, admins who wish to support iOS apps using Firebase + # # probably wish to set content_available, and may need to set mutable_content. + # # (content_available allows your iOS app to be woken up by data messages, + # # and mutable_content allows your notification to be modified by a + # # Notification Service app extension). + # # + # # See https://firebase.google.com/docs/cloud-messaging/http-server-ref + # # for the exhaustive list of valid options. + # # + # # Do not specify `data`, `priority`, `to` or `registration_ids` as they may + # # be overwritten or lead to an invalid request. + # # + # #fcm_options: + # # content_available: true + # # mutable_content: true +apps: {{ matrix_sygnal_apps|to_json }} diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 new file mode 100644 index 000000000..019ab40c0 --- /dev/null +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Sygnal +{% for service in matrix_sygnal_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sygnal_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env=SYGNAL_CONF=/config/sygnal.yaml \ + --network={{ matrix_docker_network }} \ + {% if matrix_sygnal_container_http_host_bind_port %} + -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ + {% endif %} + --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ + {% for arg in matrix_sygnal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sygnal_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sygnal + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index c87354be6..c4a203ccc 100755 --- a/setup.yml +++ b/setup.yml @@ -46,6 +46,7 @@ - matrix-dimension - matrix-etherpad - matrix-email2matrix + - matrix-sygnal - matrix-nginx-proxy - matrix-coturn - matrix-aux