Create role for Matrix IM server

5 files changed, 97 insertions, 0 deletions

diff --git a/roles/mserver/files/_etc_sysconfig_synapse.conf b/roles/mserver/files/_etc_sysconfig_synapse.conf
new file mode 100644
index 0000000..63ca402
--- /dev/null
+++ b/roles/mserver/files/_etc_sysconfig_synapse.conf
@@ -0,0 +1,15 @@
+#
+# Ansible managed.
+#
+# Synapse's architecture is quite RAM hungry currently - we deliberately cache
+# a lot of recent room data and metadata in RAM in order to speed up common
+# requests. We'll improve this in future, but for now the easiest way to either
+# reduce the RAM usage (at the risk of slowing things down) is to set the
+# almost-undocumented SYNAPSE_CACHE_FACTOR environment variable. Roughly
+# speaking, a SYNAPSE_CACHE_FACTOR of 1.0 will max out at around 3-4GB of
+# resident memory - this is what we currently run the matrix.org on. The
+# default setting is currently 0.1, which is probably around a ~700MB
+# footprint. You can dial it down further to 0.02 if desired, which targets
+# roughly ~512MB. Conversely you can dial it up if you need performance for
+# lots of users and have a box with a lot of RAM.
+SYNAPSE_CACHE_FACTOR=0.02
diff --git a/roles/mserver/files/certbot.conf b/roles/mserver/files/certbot.conf
new file mode 100644
index 0000000..69c58a5
--- /dev/null
+++ b/roles/mserver/files/certbot.conf
@@ -0,0 +1,51 @@
+#
+# Ansible managed.
+#
+## NOTE ##
+# If a hook is set here then it will be used for all
+# certificates and will override any per certificate
+# hook configuration in place.
+
+# Command to be run in a shell before obtaining any
+# certificates. Intended primarily for renewal, where it
+# can be used to temporarily shut down a webserver that
+# might conflict with the standalone plugin. This will
+# only be called if a certificate is actually to be
+# obtained/renewed. When renewing several certificates
+# that have identical pre-hooks, only the first will be
+# executed.
+#
+# An example to stop the MTA before updating certs would be
+# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
+PRE_HOOK="--pre-hook 'systemctl stop stunnel-nfsd.socket'"
+
+# Command to be run in a shell after attempting to
+# obtain/renew certificates. Can be used to deploy
+# renewed certificates, or to restart any servers that
+# were stopped by --pre-hook. This is only run if an
+# attempt was made to obtain/renew a certificate. If
+# multiple renewed certificates have identical post-
+# hooks, only one will be run.
+#
+# An example to restart httpd would be:
+# POST_HOOK="--post-hook 'systemctl restart httpd'"
+POST_HOOK="--post-hook 'systemctl restart synapse stunnel-nfsd.socket'"
+
+# Command to be run in a shell once for each
+# successfully renewed certificate. For this command,
+# the shell variable $RENEWED_LINEAGE will point to the
+# config live subdirectory containing the new certs and
+# keys; the shell variable $RENEWED_DOMAINS will contain
+# a space-delimited list of renewed cert domains
+#
+# An example to run a script to alert each cert would be:
+# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh"
+DEPLOY_HOOK=""
+
+# Any other misc arguments for the renewal
+# See certbot -h renew for full list
+#
+# An example to force renewal for certificates not due yet
+# CERTBOT_ARGS="--force-renewal"
+CERTBOT_ARGS="--standalone --agree-tos --no-eff-email --reuse-key -m fantom@fedoraproject.org"
+
diff --git a/roles/mserver/files/stunnel-matrixclient.socket b/roles/mserver/files/stunnel-matrixclient.socket
new file mode 100644
index 0000000..f1b1982
--- /dev/null
+++ b/roles/mserver/files/stunnel-matrixclient.socket
@@ -0,0 +1,13 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=Matrix Client over stunnel/TLS server
+
+[Socket]
+ListenStream=29396
+Accept=yes
+TimeoutSec=600
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/mserver/files/stunnel-matrixclient@.service b/roles/mserver/files/stunnel-matrixclient@.service
new file mode 100644
index 0000000..4066f50
--- /dev/null
+++ b/roles/mserver/files/stunnel-matrixclient@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=Matrix Client over stunnel/TLS server
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/matrixclient.conf
+StandardInput=socket
diff --git a/roles/mserver/files/synapse.service b/roles/mserver/files/synapse.service
new file mode 100644
index 0000000..59b28d7
--- /dev/null
+++ b/roles/mserver/files/synapse.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]                      
+After=network-online.target
+
+[Service]
+TimeoutSec=infinity
+Restart=always