roles/synapse: Deploy the Matrix homeserver

The *synapse* role and the corresponding `synapse.yml` playbook deploy
Synapse, the reference Matrix homeserver implementation.

Deploying Synapse itself is fairly straightforward: it is packaged by
Fedora and therefore can simply be installed via `dnf` and started by
`systemd`.  Making the service available on the Internet, however, is
more involved.  The Matrix protocol mostly works over HTTPS on the
standard port (443), so a typical reverse proxy deployment is mostly
sufficient.  Some parts of the Matrix protocol, however, involve
communication over an alternate port (8448).  This could be handled by a
reverse proxy as well, but since it is a fairly unique port, it could
also be handled by NAT/port forwarding.  In order to support both
deployment scenarios (as well as the hypothetical scenario wherein the
Synapse machine is directly accessible from the Internet), the *synapse*
role supports specifying an optional `matrix_tls_cert` variable.  If
this variable is set, it should contain the path to a certificate file
on the Ansible control machine that will be used for the "direct"
connections (i.e. on port 8448).  If it is not set, the default Apache
certificate will be used for both virtual hosts.

Synapse has a pretty extensive configuration schema, but most of the
options are set to their default values by the *synapse* role.  Other
than substituting secret keys, the only exposed configuration option is
the LDAP authentication provider.

roles/synapse/defaults/main.yml

@@ -0,0 +1,5 @@
+synapse_ldap_enabled: false
+synapse_ldap_attributes:
+  uid: sAMAccountName
+  mail: mail
+  name: cn

roles/synapse/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart synapse
+  service:
+    name: synapse
+    state: restarted

roles/synapse/tasks/main.yml

@@ -0,0 +1,49 @@
+- name: ensure synapse is installed
+  package:
+    name: matrix-synapse
+    state: present
+  tags:
+  - install
+
+- name: ensure synapse is configured
+  template:
+    src: homeserver.yaml.j2
+    dest: /etc/synapse/homeserver.yaml
+    owner: root
+    group: synapse
+    mode: '0750'
+  notify: restart synapse
+  tags:
+  - config
+
+- name: ensure apache is configured to proxy for synapse
+  template:
+    src: matrix.httpd.conf.j2
+    dest: /etc/httpd/conf.d/matrix.conf
+    mode: '0644'
+  notify: reload httpd
+  tags: httpd-conf
+
+- name: ensure apache can bind to synapse port
+  seport:
+    ports: 8448
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags:
+  - selinux
+  - seport
+
+- name: ensure apache is allowed to proxy for synapse
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - selinux
+  - seboolean
+
+- name: ensure synapse starts at boot
+  service:
+    name: synapse
+    enabled: true

roles/synapse/templates/homeserver.yaml.j2

@@ -0,0 +1,81 @@
+# vim: set ft=yaml :
+
+server_name: "{{ matrix_server_name }}"
+
+federation_ip_range_blacklist:
+- '127.0.0.0/8'
+- '10.0.0.0/8'
+- '172.16.0.0/12'
+- '192.168.0.0/16'
+- '100.64.0.0/10'
+- '169.254.0.0/16'
+- '::1/128'
+- 'fe80::/64'
+- 'fc00::/7'
+
+listeners:
+- port: 8008
+  tls: false
+  type: http
+  x_forwarded: true
+  bind_addresses: ['::1', '127.0.0.1']
+  resources:
+  - names: [client, federation]
+    compress: false
+
+retention:
+
+database:
+  name: sqlite3
+  args:
+    database: /var/lib/synapse/homeserver.db
+
+log_config: /etc/synapse/log_config.yaml
+
+media_store_path: /var/lib/synapse/media_store
+
+registration_shared_secret: '{{ synapse_registration_shared_secret }}'
+
+account_threepid_delegates:
+
+metrics_flags:
+
+report_stats: false
+
+macaroon_secret_key: '{{ synapse_macaroon_secret_key }}'
+
+form_secret: '{{ synapse_form_secret }}'
+
+signing_key_path: /etc/synapse/{{ matrix_server_name }}.signing.key
+old_signing_keys:
+
+trusted_key_servers:
+- server_name: matrix.org
+
+saml2_config:
+  user_mapping_provider:
+    config:
+
+password_config:
+
+opentracing:
+
+{% if synapse_ldap_enabled %}
+password_providers:
+ - module: ldap_auth_provider.LdapAuthProvider
+   config:
+     enabled: true
+     uri: {{ synapse_ldap_uri }}
+     start_tls: true
+     base: '{{ synapse_ldap_base }}'
+     attributes:
+{% for key, value in synapse_ldap_attributes|dictsort %}
+       {{ key }}: {{ value }}
+{% endfor %}
+{% if synapse_ldap_bind_dn|d %}
+     bind_dn: '{{ synapse_ldap_bind_dn }}'
+{% if synapse_ldap_bind_password|d %}
+     bind_password: '{{ synapse_ldap_bind_password }}'
+{% endif %}
+{% endif %}
+{% endif %}

roles/synapse/templates/matrix.httpd.conf.j2

@@ -0,0 +1,40 @@
+<VirtualHost *:443>
+    ServerName {{ matrix_server_name }}
+
+    Include conf.d/ssl.include
+    # This certificate must contain the hostname of THIS MACHINE in its
+    # subject/subjectAltName, so it can be validated by the reverse
+    # proxy.  The reverse proxy presents the "real" certificate to
+    # clients on the Internet.
+    SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+    SSLCertificateFile {{ apache_ssl_certificate }}
+
+    AllowEncodedSlashes NoDecode
+    ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
+    ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+</VirtualHost>
+
+Listen 8448
+
+<VirtualHost *:8448>
+    ServerName {{ matrix_server_name }}
+
+    Include conf.d/ssl.include
+{% if matrix_tls_key is defined %}
+    # This certificate is the "real" certificate, as clients on the
+    # Internet connect to this virtual host directly, not through the
+    # reverse proxy.
+    SSLCertificateKeyFile /etc/pki/tls/private/{{ matrix_tls_key|basename }}
+{% else %}
+    SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+{% endif %}
+{% if matrix_tls_cert is defined %}
+    SSLCertificateFile /etc/pki/tls/certs/{{ matrix_tls_cert|basename }}
+{% else %}
+    SSLCertificateFile {{ apache_ssl_certificate }}
+{% endif %}
+
+    AllowEncodedSlashes NoDecode
+    ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
+    ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+</VirtualHost>