diff --git a/examples/host-vars.yml b/examples/host-vars.yml index ef911ecf..da7ce947 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -16,4 +16,8 @@ host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE # (for configuration purposes). # # Example value: example.com -host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE \ No newline at end of file +host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE + +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index f5d98edc..5af92385 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -36,25 +36,34 @@ matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" +matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.28.1" +docker_matrix_image: "matrixdotorg/synapse:v0.30.0" docker_nginx_image: "nginx:1.13.12-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.14.2" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" +docker_coturn_image: "instrumentisto/coturn:4.5.0.7" # To avoid Synapse's macaroon secret key from changing every time # a new config is built from scratch, you can specify one here. matrix_synapse_macaroon_secret_key: null + +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" + # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" + matrix_max_upload_size_mb: 10 matrix_max_log_file_size_mb: 100 matrix_max_log_files_count: 10 diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 8904cb53..0e54396a 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -28,10 +28,16 @@ - setup-main - setup-goofys +- include: tasks/setup_coturn.yml + tags: + - setup-main + - setup-coturn + - include: tasks/setup_synapse.yml tags: - setup-main - setup-synapse + - setup-coturn - include: tasks/setup_riot_web.yml tags: diff --git a/roles/matrix-server/tasks/setup_coturn.yml b/roles/matrix-server/tasks/setup_coturn.yml new file mode 100644 index 00000000..11b48d4a --- /dev/null +++ b/roles/matrix-server/tasks/setup_coturn.yml @@ -0,0 +1,42 @@ +--- + +- name: Fail if Coturn secret is missing + fail: + msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" + when: "matrix_coturn_turn_static_auth_secret == ''" + +- name: Ensure Coturn image is pulled + docker_image: + name: "{{ docker_coturn_image }}" + +- name: Ensure Coturn configuration path exists + file: + path: "{{ matrix_coturn_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure turnserver.conf installed + template: + src: "{{ role_path }}/templates/coturn/turnserver.conf.j2" + dest: "{{ matrix_coturn_config_path }}" + mode: 0644 + +- name: Ensure matrix-coturn.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" + dest: "/etc/systemd/system/matrix-coturn.service" + mode: 0644 + +- name: Allow access to Coturn ports in firewalld + firewalld: + port: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - '3478/tcp' # STUN + - '3478/udp' # STUN + - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN + when: ansible_os_family == 'RedHat' \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 6a8898a3..70db567b 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -49,8 +49,9 @@ cleanup: yes command: generate env: - SERVER_NAME: "{{ hostname_matrix }}" - REPORT_STATS: "no" + SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" + SYNAPSE_REPORT_STATS: "no" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" @@ -74,6 +75,7 @@ line: '{{ item.line }}' with_items: - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} + - {"regexp": "^uploads_path:", "line": 'uploads_path: "/matrix-run/uploads"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} @@ -117,15 +119,14 @@ regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n' replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n' -- name: Augment Matrix config (configure Coturn) - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf" +- name: Augment Matrix config (configure TURN) + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: - regexp: "^{{ item.variable }}=" - line: '{{ item.variable }}={{ item.value }}' + regexp: "{{ item.regexp }}" + line: '{{ item.line }}' with_items: - - {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"} - - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"} - - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"} + - {"regexp": "^turn_uris:", "line": 'turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]'} + - {"regexp": "^turn_shared_secret:", "line": 'turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}"'} - name: Allow access to Matrix ports in firewalld firewalld: @@ -135,9 +136,6 @@ permanent: yes with_items: - '8448/tcp' # Matrix federation - - '3478/tcp' # STUN - - '3478/udp' # STUN - - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN when: ansible_os_family == 'RedHat' - name: Ensure matrix-synapse.service installed diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 058f4c7a..2ee6d2ba 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -8,6 +8,9 @@ service: name=matrix-goofys enabled=yes state=restarted daemon_reload=yes when: matrix_s3_media_store_enabled +- name: Ensure matrix-coturn autoruns and is restarted + service: name=matrix-coturn enabled=yes state=restarted daemon_reload=yes + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/coturn/turnserver.conf.j2 b/roles/matrix-server/templates/coturn/turnserver.conf.j2 new file mode 100644 index 00000000..2298d182 --- /dev/null +++ b/roles/matrix-server/templates/coturn/turnserver.conf.j2 @@ -0,0 +1,15 @@ +lt-cred-mech +use-auth-secret +static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} +realm=turn.{{ hostname_matrix }} +cert=/matrix-config/{{ hostname_matrix }}.tls.crt +pkey=/matrix-config/{{ hostname_matrix }}.tls.key +dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh +cipher-list="HIGH" +min-port={{ matrix_coturn_turn_udp_min_port }} +max-port={{ matrix_coturn_turn_udp_max_port }} +external-ip={{ matrix_coturn_turn_external_ip_address }} +log-file=stdout +pidfile=/var/tmp/turnserver.pid +userdb=/var/tmp/turnserver.db +no-cli \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 new file mode 100644 index 00000000..df5d74f2 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=Matrix Coturn server +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-coturn +ExecStartPre=-/usr/bin/docker rm matrix-coturn +ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -p 3478:3478 \ + -p 3478:3478/udp \ + -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ + -v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \ + -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ + {{ docker_coturn_image }} \ + -c /turnserver.conf +ExecStop=-/usr/bin/docker kill matrix-coturn +ExecStop=-/usr/bin/docker rm matrix-coturn +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index fd8ddb4a..c9beb406 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -10,6 +10,8 @@ After=matrix-postgres.service After=matrix-goofys.service Requires=matrix-goofys.service {% endif %} +After=matrix-coturn.service +Requires=matrix-coturn.service [Service] Type=simple @@ -29,12 +31,10 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ {% endif %} - -p 3478:3478 \ - -p 3478:3478/udp \ - -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse