diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2024-03-17 18:06:11 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2024-03-17 18:06:11 +0100 |
commit | 81dc7bff18a5f8b0660d48f38afcaedbff7411db (patch) | |
tree | 7039f38c7e8ecc8ec5be5294628fd81a9140a2c8 /roles/mserver/files | |
parent | dc7129f4fea6da6c346b759b87223f9fd9a3775f (diff) | |
download | playbooks-ansible-81dc7bff18a5f8b0660d48f38afcaedbff7411db.tar.gz playbooks-ansible-81dc7bff18a5f8b0660d48f38afcaedbff7411db.tar.xz playbooks-ansible-81dc7bff18a5f8b0660d48f38afcaedbff7411db.zip |
Create role for Matrix IM server
Diffstat (limited to 'roles/mserver/files')
-rw-r--r-- | roles/mserver/files/_etc_sysconfig_synapse.conf | 15 | ||||
-rw-r--r-- | roles/mserver/files/certbot.conf | 51 | ||||
-rw-r--r-- | roles/mserver/files/stunnel-matrixclient.socket | 13 | ||||
-rw-r--r-- | roles/mserver/files/stunnel-matrixclient@.service | 9 | ||||
-rw-r--r-- | roles/mserver/files/synapse.service | 9 |
5 files changed, 97 insertions, 0 deletions
diff --git a/roles/mserver/files/_etc_sysconfig_synapse.conf b/roles/mserver/files/_etc_sysconfig_synapse.conf new file mode 100644 index 0000000..63ca402 --- /dev/null +++ b/roles/mserver/files/_etc_sysconfig_synapse.conf @@ -0,0 +1,15 @@ +# +# Ansible managed. +# +# Synapse's architecture is quite RAM hungry currently - we deliberately cache +# a lot of recent room data and metadata in RAM in order to speed up common +# requests. We'll improve this in future, but for now the easiest way to either +# reduce the RAM usage (at the risk of slowing things down) is to set the +# almost-undocumented SYNAPSE_CACHE_FACTOR environment variable. Roughly +# speaking, a SYNAPSE_CACHE_FACTOR of 1.0 will max out at around 3-4GB of +# resident memory - this is what we currently run the matrix.org on. The +# default setting is currently 0.1, which is probably around a ~700MB +# footprint. You can dial it down further to 0.02 if desired, which targets +# roughly ~512MB. Conversely you can dial it up if you need performance for +# lots of users and have a box with a lot of RAM. +SYNAPSE_CACHE_FACTOR=0.02 diff --git a/roles/mserver/files/certbot.conf b/roles/mserver/files/certbot.conf new file mode 100644 index 0000000..69c58a5 --- /dev/null +++ b/roles/mserver/files/certbot.conf @@ -0,0 +1,51 @@ +# +# Ansible managed. +# +## NOTE ## +# If a hook is set here then it will be used for all +# certificates and will override any per certificate +# hook configuration in place. + +# Command to be run in a shell before obtaining any +# certificates. Intended primarily for renewal, where it +# can be used to temporarily shut down a webserver that +# might conflict with the standalone plugin. This will +# only be called if a certificate is actually to be +# obtained/renewed. When renewing several certificates +# that have identical pre-hooks, only the first will be +# executed. +# +# An example to stop the MTA before updating certs would be +# PRE_HOOK="--pre-hook 'systemctl stop postfix'" +PRE_HOOK="--pre-hook 'systemctl stop stunnel-nfsd.socket'" + +# Command to be run in a shell after attempting to +# obtain/renew certificates. Can be used to deploy +# renewed certificates, or to restart any servers that +# were stopped by --pre-hook. This is only run if an +# attempt was made to obtain/renew a certificate. If +# multiple renewed certificates have identical post- +# hooks, only one will be run. +# +# An example to restart httpd would be: +# POST_HOOK="--post-hook 'systemctl restart httpd'" +POST_HOOK="--post-hook 'systemctl restart synapse stunnel-nfsd.socket'" + +# Command to be run in a shell once for each +# successfully renewed certificate. For this command, +# the shell variable $RENEWED_LINEAGE will point to the +# config live subdirectory containing the new certs and +# keys; the shell variable $RENEWED_DOMAINS will contain +# a space-delimited list of renewed cert domains +# +# An example to run a script to alert each cert would be: +# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh" +DEPLOY_HOOK="" + +# Any other misc arguments for the renewal +# See certbot -h renew for full list +# +# An example to force renewal for certificates not due yet +# CERTBOT_ARGS="--force-renewal" +CERTBOT_ARGS="--standalone --agree-tos --no-eff-email --reuse-key -m fantom@fedoraproject.org" + diff --git a/roles/mserver/files/stunnel-matrixclient.socket b/roles/mserver/files/stunnel-matrixclient.socket new file mode 100644 index 0000000..f1b1982 --- /dev/null +++ b/roles/mserver/files/stunnel-matrixclient.socket @@ -0,0 +1,13 @@ +# +# Ansible managed. +# +[Unit] +Description=Matrix Client over stunnel/TLS server + +[Socket] +ListenStream=29396 +Accept=yes +TimeoutSec=600 + +[Install] +WantedBy=sockets.target diff --git a/roles/mserver/files/stunnel-matrixclient@.service b/roles/mserver/files/stunnel-matrixclient@.service new file mode 100644 index 0000000..4066f50 --- /dev/null +++ b/roles/mserver/files/stunnel-matrixclient@.service @@ -0,0 +1,9 @@ +# +# Ansible managed. +# +[Unit] +Description=Matrix Client over stunnel/TLS server + +[Service] +ExecStart=-/usr/bin/stunnel /etc/stunnel/matrixclient.conf +StandardInput=socket diff --git a/roles/mserver/files/synapse.service b/roles/mserver/files/synapse.service new file mode 100644 index 0000000..59b28d7 --- /dev/null +++ b/roles/mserver/files/synapse.service @@ -0,0 +1,9 @@ +# +# Ansible managed. +# +[Unit] +After=network-online.target + +[Service] +TimeoutSec=infinity +Restart=always |