From 371305bed4f88bdec320420596513c63a1bcee5e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 30 Dec 2020 21:42:44 -0600
Subject: [PATCH] roles/synapse: Deploy the Matrix homeserver

The *synapse* role and the corresponding `synapse.yml` playbook deploy
Synapse, the reference Matrix homeserver implementation.

Deploying Synapse itself is fairly straightforward: it is packaged by
Fedora and therefore can simply be installed via `dnf` and started by
`systemd`.  Making the service available on the Internet, however, is
more involved.  The Matrix protocol mostly works over HTTPS on the
standard port (443), so a typical reverse proxy deployment is mostly
sufficient.  Some parts of the Matrix protocol, however, involve
communication over an alternate port (8448).  This could be handled by a
reverse proxy as well, but since it is a fairly unique port, it could
also be handled by NAT/port forwarding.  In order to support both
deployment scenarios (as well as the hypothetical scenario wherein the
Synapse machine is directly accessible from the Internet), the *synapse*
role supports specifying an optional `matrix_tls_cert` variable.  If
this variable is set, it should contain the path to a certificate file
on the Ansible control machine that will be used for the "direct"
connections (i.e. on port 8448).  If it is not set, the default Apache
certificate will be used for both virtual hosts.

Synapse has a pretty extensive configuration schema, but most of the
options are set to their default values by the *synapse* role.  Other
than substituting secret keys, the only exposed configuration option is
the LDAP authentication provider.
---
 group_vars/synapse/main.yml                  |  9 +++
 group_vars/synapse/secrets                   |  9 +++
 hosts                                        |  1 +
 roles/synapse/defaults/main.yml              |  5 ++
 roles/synapse/handlers/main.yml              |  4 +
 roles/synapse/tasks/main.yml                 | 49 ++++++++++++
 roles/synapse/templates/homeserver.yaml.j2   | 81 ++++++++++++++++++++
 roles/synapse/templates/matrix.httpd.conf.j2 | 40 ++++++++++
 synapse.yml                                  | 19 +++++
 vault/synapse/hatch.chat                     | 18 +++++
 10 files changed, 235 insertions(+)
 create mode 100644 group_vars/synapse/main.yml
 create mode 100644 group_vars/synapse/secrets
 create mode 100644 roles/synapse/defaults/main.yml
 create mode 100644 roles/synapse/handlers/main.yml
 create mode 100644 roles/synapse/tasks/main.yml
 create mode 100644 roles/synapse/templates/homeserver.yaml.j2
 create mode 100644 roles/synapse/templates/matrix.httpd.conf.j2
 create mode 100644 synapse.yml
 create mode 100644 vault/synapse/hatch.chat

diff --git a/group_vars/synapse/main.yml b/group_vars/synapse/main.yml
new file mode 100644
index 0000000..6f0ab1f
--- /dev/null
+++ b/group_vars/synapse/main.yml
@@ -0,0 +1,9 @@
+apache_default_ssl_vhost: false
+matrix_server_name: hatch.chat
+synapse_ldap_enabled: true
+synapse_ldap_uri: ldap://dc0.pyrocufflink.blue:389
+synapse_ldap_base: DC=pyrocufflink,DC=blue
+synapse_ldap_bind_dn: CN=svc.synapse,CN=Users,DC=pyrocufflink,DC=blue
+synapse_ldap_bind_password: '{{ vault_synapse_ldap_bind_password }}'
+matrix_tls_cert: websites/hatch.chat.cer
+matrix_tls_key: websites/hatch.chat.key
diff --git a/group_vars/synapse/secrets b/group_vars/synapse/secrets
new file mode 100644
index 0000000..7af7e5b
--- /dev/null
+++ b/group_vars/synapse/secrets
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+63353463626538346438303931303537663265346634313861653364333635323337666634303136
+3036343162343532306263653634376132663836393962640a623738393633336437643330656264
+66633166306532373631323236346237626239643839313934383264393231313134323761313163
+6464626566623466630a313363386332613637346638333439666438383939306632666466353966
+30323538326462313836306563353233663935636130636361353938623331396432356436383137
+30336464646136633931613763363464373165386435613939656435663332326432396539633037
+30373035663336613937383038363032373330316137333333303632353839643338393938343238
+34393634643139323066
diff --git a/hosts b/hosts
index 0615398..4e48fc7 100644
--- a/hosts
+++ b/hosts
@@ -121,6 +121,7 @@ smtp1.pyrocufflink.blue
 
 [squid]
 
+[synapse]
 
 [vm-hosts]
 
diff --git a/roles/synapse/defaults/main.yml b/roles/synapse/defaults/main.yml
new file mode 100644
index 0000000..80ad8ea
--- /dev/null
+++ b/roles/synapse/defaults/main.yml
@@ -0,0 +1,5 @@
+synapse_ldap_enabled: false
+synapse_ldap_attributes:
+  uid: sAMAccountName
+  mail: mail
+  name: cn
diff --git a/roles/synapse/handlers/main.yml b/roles/synapse/handlers/main.yml
new file mode 100644
index 0000000..7a14c35
--- /dev/null
+++ b/roles/synapse/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart synapse
+  service:
+    name: synapse
+    state: restarted
diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
new file mode 100644
index 0000000..2989693
--- /dev/null
+++ b/roles/synapse/tasks/main.yml
@@ -0,0 +1,49 @@
+- name: ensure synapse is installed
+  package:
+    name: matrix-synapse
+    state: present
+  tags:
+  - install
+
+- name: ensure synapse is configured
+  template:
+    src: homeserver.yaml.j2
+    dest: /etc/synapse/homeserver.yaml
+    owner: root
+    group: synapse
+    mode: '0750'
+  notify: restart synapse
+  tags:
+  - config
+
+- name: ensure apache is configured to proxy for synapse
+  template:
+    src: matrix.httpd.conf.j2
+    dest: /etc/httpd/conf.d/matrix.conf
+    mode: '0644'
+  notify: reload httpd
+  tags: httpd-conf
+
+- name: ensure apache can bind to synapse port
+  seport:
+    ports: 8448
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags:
+  - selinux
+  - seport
+
+- name: ensure apache is allowed to proxy for synapse
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - selinux
+  - seboolean
+
+- name: ensure synapse starts at boot
+  service:
+    name: synapse
+    enabled: true
diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2
new file mode 100644
index 0000000..09068a7
--- /dev/null
+++ b/roles/synapse/templates/homeserver.yaml.j2
@@ -0,0 +1,81 @@
+# vim: set ft=yaml :
+
+server_name: "{{ matrix_server_name }}"
+
+federation_ip_range_blacklist:
+- '127.0.0.0/8'
+- '10.0.0.0/8'
+- '172.16.0.0/12'
+- '192.168.0.0/16'
+- '100.64.0.0/10'
+- '169.254.0.0/16'
+- '::1/128'
+- 'fe80::/64'
+- 'fc00::/7'
+
+listeners:
+- port: 8008
+  tls: false
+  type: http
+  x_forwarded: true
+  bind_addresses: ['::1', '127.0.0.1']
+  resources:
+  - names: [client, federation]
+    compress: false
+
+retention:
+
+database:
+  name: sqlite3
+  args:
+    database: /var/lib/synapse/homeserver.db
+
+log_config: /etc/synapse/log_config.yaml
+
+media_store_path: /var/lib/synapse/media_store
+
+registration_shared_secret: '{{ synapse_registration_shared_secret }}'
+
+account_threepid_delegates:
+
+metrics_flags:
+
+report_stats: false
+
+macaroon_secret_key: '{{ synapse_macaroon_secret_key }}'
+
+form_secret: '{{ synapse_form_secret }}'
+
+signing_key_path: /etc/synapse/{{ matrix_server_name }}.signing.key
+old_signing_keys:
+
+trusted_key_servers:
+- server_name: matrix.org
+
+saml2_config:
+  user_mapping_provider:
+    config:
+
+password_config:
+
+opentracing:
+
+{% if synapse_ldap_enabled %}
+password_providers:
+ - module: ldap_auth_provider.LdapAuthProvider
+   config:
+     enabled: true
+     uri: {{ synapse_ldap_uri }}
+     start_tls: true
+     base: '{{ synapse_ldap_base }}'
+     attributes:
+{% for key, value in synapse_ldap_attributes|dictsort %}
+       {{ key }}: {{ value }}
+{% endfor %}
+{% if synapse_ldap_bind_dn|d %}
+     bind_dn: '{{ synapse_ldap_bind_dn }}'
+{% if synapse_ldap_bind_password|d %}
+     bind_password: '{{ synapse_ldap_bind_password }}'
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/roles/synapse/templates/matrix.httpd.conf.j2 b/roles/synapse/templates/matrix.httpd.conf.j2
new file mode 100644
index 0000000..b3ec10e
--- /dev/null
+++ b/roles/synapse/templates/matrix.httpd.conf.j2
@@ -0,0 +1,40 @@
+<VirtualHost *:443>
+    ServerName {{ matrix_server_name }}
+
+    Include conf.d/ssl.include
+    # This certificate must contain the hostname of THIS MACHINE in its
+    # subject/subjectAltName, so it can be validated by the reverse
+    # proxy.  The reverse proxy presents the "real" certificate to
+    # clients on the Internet.
+    SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+    SSLCertificateFile {{ apache_ssl_certificate }}
+
+    AllowEncodedSlashes NoDecode
+    ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
+    ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+</VirtualHost>
+
+Listen 8448
+
+<VirtualHost *:8448>
+    ServerName {{ matrix_server_name }}
+
+    Include conf.d/ssl.include
+{% if matrix_tls_key is defined %}
+    # This certificate is the "real" certificate, as clients on the
+    # Internet connect to this virtual host directly, not through the
+    # reverse proxy.
+    SSLCertificateKeyFile /etc/pki/tls/private/{{ matrix_tls_key|basename }}
+{% else %}
+    SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+{% endif %}
+{% if matrix_tls_cert is defined %}
+    SSLCertificateFile /etc/pki/tls/certs/{{ matrix_tls_cert|basename }}
+{% else %}
+    SSLCertificateFile {{ apache_ssl_certificate }}
+{% endif %}
+
+    AllowEncodedSlashes NoDecode
+    ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
+    ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+</VirtualHost>
diff --git a/synapse.yml b/synapse.yml
new file mode 100644
index 0000000..bcd1691
--- /dev/null
+++ b/synapse.yml
@@ -0,0 +1,19 @@
+- hosts: synapse
+  vars_files:
+  - vault/synapse/{{ matrix_server_name }}
+  roles:
+  - role: cert
+    cert_src: '{{ matrix_tls_cert }}'
+    cert_dest: /etc/pki/tls/certs/{{ matrix_tls_cert|basename }}
+    cert_key_src: '{{ matrix_tls_key }}'
+    cert_key_dest: /etc/pki/tls/private/{{ matrix_tls_key|basename }}
+    when: matrix_tls_cert is defined
+    tags: cert
+  - apache
+  - synapse
+  tasks:
+  - meta: flush_handlers
+  - name: ensure synapse is running
+    service:
+      name: synapse
+      state: started
diff --git a/vault/synapse/hatch.chat b/vault/synapse/hatch.chat
new file mode 100644
index 0000000..4b925f1
--- /dev/null
+++ b/vault/synapse/hatch.chat
@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+34636535316233646136616261343032313135656130353638623933663137346462633561646535
+3361366164613237353862626136653266306563386233350a356637623666353335313361306333
+35386532363863313533643037633664306134336362653462356561323562633734363931363530
+3133366137336334360a336636393639653738623036356438616564373637316633393339396633
+62386561623532393433376439386466383861313137363836323835393664393936663434633262
+33363130363532653462666432323266386632616165353334353730313139663061356662383535
+33633266613438373161313830393531363635633030373265616435636663613433336661636338
+33363930316333323239383035616135383939343037373435626664323963316662613137313737
+34396435343932653233616531353061393131353134623035393030383234343731333832633963
+38376232356138366634303137303432313166643132313936633937353862393431353632613963
+61353163333662643765373939666165616363656530353465323830623439623033396338663634
+66343730613634383937613435316163336434363938366338653937356666666130663364376264
+37353634643064613237646333623163643863643637313164643164393361323434373761633739
+35643434303563663831363566653662303737653139393831343538656666333165316262326463
+34316234616263636365363636373939373134333333666365333362643930666562616539643061
+64613166366164646239383865376364393533633430336338376264363465333237303061663262
+3436