Working on more Matrix stuffs, adding creds for SES

2020-06-21 10:46:49 -05:00 · 2020-06-21 10:46:49 -05:00 · aed52c16a0
commit aed52c16a0
parent 73d1ebd9a2
6 changed files with 2271 additions and 6 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -1,10 +1,25 @@
 #!/usr/bin/ansible-playbook
 # vim:ft=ansible:
 user_username: salt
+aws_ses_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33643766376336316266373239386466373639633765333332353031373132383061346564633036
+          3337396261333264363562363364336235633831353133380a613164666161313265396261616634
+          38353531306238613735623433663138643231663139363735373537393337636362636534656166
+          3063373930343039320a663063663535633932323739653461336164643035633036663362666161
+          38316564326537303236333266303432326164393435663665363963326363306237
+aws_ses_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39306665653635383832623438656364616633643032663365643033316236333939363732363034
+          3566663361653862646636396339343963626561613839620a663731313337613734356261326437
+          31653763346663656165343632336366343562333836396232636431323635333965336137316237
+          3662393364636631310a643935313539353338333233356362623835363631383035666536343634
+          65663937643165613337373837633737653765303764303536386530616363343361326536633935
+          3565626161343562396663353538653136376138373334336435
 zerotier_network_id: !vault |
-        $ANSIBLE_VAULT;1.1;AES256
-        35646131343239623265663562343333383362366633386462646465643163353866643633636135
-        6238643231313536323337343663313865323430323437630a353462393830376431376363373232
-        30656433343263653035333637336165323931363966376264353164326135336131646362623734
-        3339633961393864330a616437613534643231366634643362383438316233376334636264303361
-        65313231393433396538663463383731303661633663343066333264303330313133
+          $ANSIBLE_VAULT;1.1;AES256
+          35646131343239623265663562343333383362366633386462646465643163353866643633636135
+          6238643231313536323337343663313865323430323437630a353462393830376431376363373232
+          30656433343263653035333637336165323931363966376264353164326135336131646362623734
+          3339633961393864330a616437613534643231366634643362383438316233376334636264303361
+          65313231393433396538663463383731303661633663343066333264303330313133
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@ -19,4 +19,40 @@
          apt:
            name:
              - "matrix-synapse-py3"
+    - name: Set up Apache
+      block:
+        - name: Enable modules
+          command:
+            cmd: a2enmod "{{ item }}"
+            creates: "/etc/apache2/mods-enabled/{{ item }}.load"
+          loop:
+            - proxy
+            - proxy_http
+          notify: restart apache
+        - name: Template out vhost
+          template:
+            src: "apache2-vhost-ssl.conf"
+            dest: "/etc/apache2-sites-available/{{ matrix_url }}.conf"
+        - name: Create webroot
+          file:
+            state: directory
+            path: "{{ matrix_webroot }}"
+        - name: Enable site
+          command:
+            cmd: "a2ensite {{ matrix_url }}.conf"
+            creates: "/etc/apache2/sites-enabled/{{ matrix_url }}.conf"
+          notify: restart apache
+        - name: Generate certificate
+          include_role:
+            name: https
+          vars:
+            website_url: "{{ matrix_url }}"
+    - name: Configure Synapse
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - { src: "homeserver.yml", dest: "/etc/matrix-synapse/homeserver.yml", "mode: 0644" }
+        - { src: "server_name.yml", dest: "/etc/matrix-synapse/conf.d/server_name.yml", "mode: 0644" }
  become: yes
--- a/roles/matrix/templates/apache2-vhost-ssl.conf
+++ b/roles/matrix/templates/apache2-vhost-ssl.conf
@ -0,0 +1,35 @@
+# Configuration for {{ matrix_url }}
+# vim:ft=apache:
+
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+# Need this for SSL proxying, apparently
+SSLProxyEngine on
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ matrix_url }}
+	Redirect permanent / https://{{ matrix_url }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ matrix_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ matrix_url }}.key
+	SSLCertificateChainFile /etc/pki/cert/crt/{{ matrix_url }}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
+	SSLCipherSuite {{ ssl_cipher_suite }}
+	ServerName {{ matrix_url }}
+	DocumentRoot {{ matrix_webroot }}
+	<Directory "{{ matrix_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyPass / http://127.0.0.1:8008/ nocanon retry=1
+	ProxyPassReverse / https://127.0.0.1:8008/
+
+	RequestHeader set X_FORWARDED_PROTO 'https'
+	RequestHeader set X-Forwarded-Ssl on
+</VirtualHost>
--- a/roles/matrix/templates/homeserver.yaml
+++ b/roles/matrix/templates/homeserver.yaml
--- a/roles/matrix/templates/server_name.yaml
+++ b/roles/matrix/templates/server_name.yaml
@ -0,0 +1,9 @@
+# This file is autogenerated, and will be recreated on upgrade if it is deleted.
+# Any changes you make will be preserved.
+
+# The domain name of the server, with optional explicit port.
+# This is used by remote servers to connect to this server,
+# e.g. matrix.org, localhost:8080, etc.
+# This is also the last part of your UserID.
+#
+server_name: {{ matrix_server_name }}
--- a/webservers.yml
+++ b/webservers.yml
@ -9,6 +9,9 @@
    - role: backups
      tags: [ backups ]
    - role: matrix
+      vars:
+        matrix_server_name: "9iron.club"
+        matrix_url: "matrix.9iron.club"
      tags: [ fedi, matrix ]
 - hosts: web1
  roles: