Add initial role for Dendrite as alternative Matrix server

AtomHare · Jan 7, 2022 · 07af056 · 07af056
1 parent 4e01082
commit 07af056
Show file tree

Hide file tree

Showing 25 changed files with 3,893 additions and 0 deletions.
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
@@ -1508,6 +1508,48 @@ matrix_postgres_additional_databases: |
       'password': matrix_synapse_database_password,
     }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
     +
+    ([{
+      'name': matrix_dendrite_naffka_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_appservice_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_federationsender_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_keyserver_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_mediaapi_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_room_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_singingkeyserver_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_syncapi_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_account_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    },{
+      'name': matrix_dendrite_device_database,
+      'username': matrix_dendrite_database_user,
+      'password': matrix_dendrite_database_password,
+    }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else [])
+    +
     ([{
       'name': matrix_ma1sd_database_name,
       'username': matrix_ma1sd_database_username,
@@ -2125,3 +2167,59 @@ matrix_postgres_backup_databases: |
 # /matrix-postgres-backup
 #
 ######################################################################
+
+######################################################################
+#
+# matrix-dendrite
+#
+######################################################################
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
+# you can expose Dendrite's ports to the host.
+#
+# For exposing the Matrix Client API's port (plain HTTP) to the local host.
+matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
+#
+# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
+matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}"
+
+matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}"
+
+# Even if TURN doesn't support TLS (it does by default),
+# it doesn't hurt to try a secure connection anyway.
+matrix_dendrite_turn_uris: |
+  {{
+    [
+      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ]
+    if matrix_coturn_enabled
+    else []
+  }}
+
+matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
+
+matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}"
+
+matrix_dendrite_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+    +
+    (['matrix-goofys'] if matrix_s3_media_store_enabled else [])
+  }}
+
+matrix_dendrite_systemd_wanted_services_list: |
+  {{
+    (['matrix-coturn.service'] if matrix_coturn_enabled else [])
+  }}
+
+######################################################################
+#
+# /matrix-dendrite
+#
+######################################################################
diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml
@@ -0,0 +1,158 @@
+# Dendrite is a second-generation Matrix homeserver currently in Beta
+# See: https://github.com/matrix-org/dendrite
+
+matrix_dendrite_enabled: false
+
+matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
+matrix_dendrite_docker_image_name_prefix: "docker.io/"
+matrix_dendrite_docker_image_tag: "v0.3.6"
+matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
+
+matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
+matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config"
+matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage"
+matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store"
+matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"
+
+# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
+matrix_dendrite_container_client_api_host_bind_port: ""
+
+# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container).
+#
+# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled)
+# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "8448"), or empty string to not expose.
+matrix_dendrite_container_federation_api_tls_host_bind_port: ""
+
+# A list of extra arguments to pass to the container
+matrix_dendrite_container_extra_arguments: []
+
+# List of systemd services that matrix-dendrite.service depends on
+matrix_dendrite_systemd_required_services_list: ["docker.service"]
+
+# List of systemd services that matrix-dendrite.service wants
+matrix_dendrite_systemd_wanted_services_list: []
+
+# Specifies which template files to use when configuring Dendrite.
+# If you'd like to have your own different configuration, feel free to copy and paste
+# the original files into your inventory (e.g. in `inventory/host_vars/<host>/`)
+# and then change the specific host's `vars.yaml` file like this:
+# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
+matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
+
+matrix_dendrite_macaroon_secret_key: ""
+matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}"
+matrix_dendrite_allow_guest_access: false
+matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}"
+
+matrix_dendrite_max_file_size_bytes: 10485760
+
+# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
+matrix_dendrite_tmp_directory_size_mb: 500
+
+# Log levels
+matrix_dendrite_log_level: "warning"
+matrix_dendrite_log_path: "/var/log/dendrite"
+
+# Rate limits
+matrix_dendrite_rate_limiting_enabled: true
+matrix_dendrite_rate_limiting_threshold: 5
+matrix_dendrite_rate_limiting_cooloff_ms: 500
+
+# Controls whether people with access to the homeserver can register by themselves.
+matrix_dendrite_registration_disabled: false
+
+# reCAPTCHA API for validating registration attempts
+matrix_dendrite_enable_registration_captcha: false
+matrix_dendrite_recaptcha_public_key: ""
+matrix_dendrite_recaptcha_private_key: ""
+
+# A list of additional "volumes" to mount in the container.
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
+#
+# Note: internally, this uses the `-v` flag for mounting the specified volumes.
+# It's better (safer) to use the `--mount` flag for mounting volumes.
+# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`.
+# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro']
+matrix_dendrite_container_additional_volumes: []
+
+# A list of appservice config files (in-container filesystem paths).
+# This list gets populated dynamically based on Dendrite extensions that have been enabled.
+# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`.
+matrix_dendrite_app_service_config_files: []
+
+# Enable exposure of metrics
+matrix_dendrite_metrics_enabled: false
+matrix_dendrite_metrics_username: "metrics"
+matrix_dendrite_metrics_password: "metrics"
+
+# Postgres database information
+matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}"
+matrix_dendrite_database_hostname: "matrix-postgres"
+matrix_dendrite_database_user: "dendrite"
+matrix_dendrite_database_password: "itsasecret"
+matrix_dendrite_naffka_database: "dendrite_naffka"
+matrix_dendrite_appservice_database: "dendrite_appservice"
+matrix_dendrite_federationsender_database: "dendrite_federationsender"
+matrix_dendrite_keyserver_database: "dendrite_keyserver"
+matrix_dendrite_mediaapi_database: "dendrite_mediaapi"
+matrix_dendrite_room_database: "dendrite_room"
+matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver"
+matrix_dendrite_syncapi_database: "dendrite_syncapi"
+matrix_dendrite_account_database: "dendrite_account"
+matrix_dendrite_device_database: "dendrite_device"
+
+matrix_dendrite_turn_uris: []
+matrix_dendrite_turn_shared_secret: ""
+matrix_dendrite_turn_allow_guests: False
+
+matrix_s3_media_store_enabled: false
+matrix_s3_media_store_custom_endpoint_enabled: false
+matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
+matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}"
+matrix_s3_media_store_custom_endpoint: "your-custom-endpoint"
+matrix_s3_media_store_bucket_name: "your-bucket-name"
+matrix_s3_media_store_aws_access_key: "your-aws-access-key"
+matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
+matrix_s3_media_store_region: "eu-central-1"
+
+# Controls whether the self-check feature should validate TLS certificates.
+matrix_dendrite_disable_tls_validation: false
+
+matrix_dendrite_trusted_id_servers:
+  - "matrix.org"
+  - "vector.im"
+
+# Default Dendrite configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}"
+
+matrix_dendrite_configuration_extension_yaml: |
+  # Your custom YAML configuration for Dendrite goes here.
+  # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_dendrite_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # server_notices:
+  #   system_mxid_localpart: notices
+  #   system_mxid_display_name: "Server Notices"
+  #   system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
+  #   room_name: "Server Notices"
+
+matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final Dendrite configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`.
+matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}"
diff --git a/roles/matrix-dendrite/tasks/dendrite/setup.yml b/roles/matrix-dendrite/tasks/dendrite/setup.yml
@@ -0,0 +1,6 @@
+---
+- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml"
+  when: matrix_dendrite_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml"
+  when: "not matrix_dendrite_enabled|bool"
diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml
@@ -0,0 +1,85 @@
+---
+# This will throw a Permission Denied error if already mounted using fuse
+- name: Check Dendrite media store path
+  stat:
+    path: "{{ matrix_dendrite_media_store_path }}"
+  register: local_path_media_store_stat
+  ignore_errors: yes
+
+# This is separate and conditional, to ensure we don't execute it
+# if the path already exists or we failed to check, because it's mounted using fuse.
+- name: Ensure Dendrite media store path exists
+  file:
+    path: "{{ matrix_dendrite_media_store_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
+
+- name: Ensure Dendrite log path exists
+  file:
+    path: "{{ matrix_dendrite_log_path }}"
+    state: directory
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Dendrite Docker image is pulled
+  docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}"
+
+- name: Check if a Dendrite signing key exists
+  stat:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+  register: matrix_dendrite_signing_key_stat
+
+# We do this so that the signing key would get generated.
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
+- name: Generate Dendrite signing key
+  command: |
+    docker run
+    --rm
+    --name=matrix-config
+    --entrypoint=generate-keys
+    --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data
+    {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem
+    generate
+  when: "not matrix_dendrite_signing_key_stat.stat.exists"
+
+- name: Ensure Dendrite server key exists
+  file:
+    path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Dendrite configuration installed
+  copy:
+    content: "{{ matrix_dendrite_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-dendrite.service installed
+  template:
+    src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    mode: 0644
+  register: matrix_dendrite_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-dendrite.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_dendrite_systemd_service_result.changed"
+
+- name: Ensure matrix-dendrite-create-account script created
+  template:
+    src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2"
+    dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account"
+    mode: 0750
diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml
@@ -0,0 +1,28 @@
+- name: Check existence of matrix-dendrite service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+  register: matrix_dendrite_service_stat
+
+- name: Ensure matrix-dendrite is stopped
+  service:
+    name: matrix-dendrite
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure matrix-dendrite.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-dendrite.service"
+    state: absent
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-dendrite.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_dendrite_service_stat.stat.exists"
+
+- name: Ensure Dendrite Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_dendrite_docker_image }}"
+    state: absent
diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml
@@ -0,0 +1,7 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml"
+  when: matrix_s3_media_store_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml"
+  when: "not matrix_s3_media_store_enabled|bool"