Switch Docker image to official one

Switching from from avhost/docker-matrix (silviof/docker-matrix)
to matrixdotorg/synapse.

The avhost/docker-matrix (silviof/docker-matrix) image used to bundle
in the coturn STUN/TURN server, so as part of the move,
we're separating this to a separately-ran service
(matrix-coturn.service, powered by instrumentisto/coturn-docker-image)

examples/host-vars.yml

@@ -16,4 +16,8 @@ host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE
 # (for configuration purposes).
 #
 # Example value: example.com
-host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE
+host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE
+
+# A shared secret (between Synapse and Coturn) used for authentication.
+# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
+matrix_coturn_turn_static_auth_secret: ""

roles/matrix-server/defaults/main.yml

@@ -36,25 +36,34 @@ matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres"
 matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
 matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
 matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
+matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
+matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
 matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad"
 
 docker_postgres_image: "postgres:9.6.8-alpine"
-docker_matrix_image: "avhost/docker-matrix:v0.28.1"
+docker_matrix_image: "matrixdotorg/synapse:v0.30.0"
 docker_nginx_image: "nginx:1.13.12-alpine"
 docker_riot_image: "avhost/docker-matrix-riot:v0.14.2"
 docker_s3fs_image: "xueshanf/s3fs:latest"
 docker_goofys_image: "cloudproto/goofys:latest"
+docker_coturn_image: "instrumentisto/coturn:4.5.0.7"
 
 # To avoid Synapse's macaroon secret key from changing every time
 # a new config is built from scratch, you can specify one here.
 matrix_synapse_macaroon_secret_key: null
 
+
+# A shared secret (between Synapse and Coturn) used for authentication.
+# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
+matrix_coturn_turn_static_auth_secret: ""
+
 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
 
 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
 
+
 matrix_max_upload_size_mb: 10
 matrix_max_log_file_size_mb: 100
 matrix_max_log_files_count: 10

roles/matrix-server/tasks/main.yml

@@ -28,10 +28,16 @@
     - setup-main
     - setup-goofys
 
+- include: tasks/setup_coturn.yml
+  tags:
+    - setup-main
+    - setup-coturn
+
 - include: tasks/setup_synapse.yml
   tags:
     - setup-main
     - setup-synapse
+    - setup-coturn
 
 - include: tasks/setup_riot_web.yml
   tags:

roles/matrix-server/tasks/setup_coturn.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Fail if Coturn secret is missing
+  fail:
+    msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
+  when: "matrix_coturn_turn_static_auth_secret == ''"
+
+- name: Ensure Coturn image is pulled
+  docker_image:
+    name: "{{ docker_coturn_image }}"
+
+- name: Ensure Coturn configuration path exists
+  file:
+    path: "{{ matrix_coturn_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure turnserver.conf installed
+  template:
+    src: "{{ role_path }}/templates/coturn/turnserver.conf.j2"
+    dest: "{{ matrix_coturn_config_path }}"
+    mode: 0644
+
+- name: Ensure matrix-coturn.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
+    dest: "/etc/systemd/system/matrix-coturn.service"
+    mode: 0644
+
+- name: Allow access to Coturn ports in firewalld
+  firewalld:
+    port: "{{ item }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - '3478/tcp' # STUN
+    - '3478/udp' # STUN
+    - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
+  when: ansible_os_family == 'RedHat'

roles/matrix-server/tasks/setup_synapse.yml

@@ -49,8 +49,9 @@
     cleanup: yes
     command: generate
     env:
-      SERVER_NAME: "{{ hostname_matrix }}"
-      REPORT_STATS: "no"
+      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
+      SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
+      SYNAPSE_REPORT_STATS: "no"
     user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
     volumes:
       - "{{ matrix_synapse_config_dir_path }}:/data"
@@ -74,6 +75,7 @@
     line: '{{ item.line }}'
   with_items:
     - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
+    - {"regexp": "^uploads_path:", "line": 'uploads_path: "/matrix-run/uploads"'}
     - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
     - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
     - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
@@ -117,15 +119,14 @@
     regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n'
     replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n'
 
-- name: Augment Matrix config (configure Coturn)
-  lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf"
+- name: Augment Matrix config (configure TURN)
+  lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
   args:
-    regexp: "^{{ item.variable }}="
-    line: '{{ item.variable }}={{ item.value }}'
+    regexp: "{{ item.regexp }}"
+    line: '{{ item.line }}'
   with_items:
-    - {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"}
-    - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"}
-    - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"}
+    - {"regexp": "^turn_uris:", "line": 'turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]'}
+    - {"regexp": "^turn_shared_secret:", "line": 'turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}"'}
 
 - name: Allow access to Matrix ports in firewalld
   firewalld:
@@ -135,9 +136,6 @@
     permanent: yes
   with_items:
     - '8448/tcp' # Matrix federation
-    - '3478/tcp' # STUN
-    - '3478/udp' # STUN
-    - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
   when: ansible_os_family == 'RedHat'
 
 - name: Ensure matrix-synapse.service installed

roles/matrix-server/tasks/start.yml

@@ -8,6 +8,9 @@
   service: name=matrix-goofys enabled=yes state=restarted daemon_reload=yes
   when: matrix_s3_media_store_enabled
 
+- name: Ensure matrix-coturn autoruns and is restarted
+  service: name=matrix-coturn enabled=yes state=restarted daemon_reload=yes
+
 - name: Ensure matrix-synapse autoruns and is restarted
   service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes
 

roles/matrix-server/templates/coturn/turnserver.conf.j2

@@ -0,0 +1,15 @@
+lt-cred-mech
+use-auth-secret
+static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
+realm=turn.{{ hostname_matrix }}
+cert=/matrix-config/{{ hostname_matrix }}.tls.crt
+pkey=/matrix-config/{{ hostname_matrix }}.tls.key
+dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh
+cipher-list="HIGH"
+min-port={{ matrix_coturn_turn_udp_min_port }}
+max-port={{ matrix_coturn_turn_udp_max_port }}
+external-ip={{ matrix_coturn_turn_external_ip_address }}
+log-file=stdout
+pidfile=/var/tmp/turnserver.pid
+userdb=/var/tmp/turnserver.db
+no-cli

roles/matrix-server/templates/systemd/matrix-coturn.service.j2

@@ -0,0 +1,25 @@
+[Unit]
+Description=Matrix Coturn server
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-coturn
+ExecStartPre=-/usr/bin/docker rm matrix-coturn
+ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			-p 3478:3478 \
+			-p 3478:3478/udp \
+			-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
+			-v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \
+			-v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \
+			{{ docker_coturn_image }} \
+			-c /turnserver.conf
+ExecStop=-/usr/bin/docker kill matrix-coturn
+ExecStop=-/usr/bin/docker rm matrix-coturn
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/systemd/matrix-synapse.service.j2

@@ -10,6 +10,8 @@ After=matrix-postgres.service
 After=matrix-goofys.service
 Requires=matrix-goofys.service
 {% endif %}
+After=matrix-coturn.service
+Requires=matrix-coturn.service
 
 [Service]
 Type=simple
@@ -29,12 +31,10 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if not matrix_nginx_proxy_enabled %}
 			-p 127.0.0.1:8008:8008 \
 			{% endif %}
-			-p 3478:3478 \
-			-p 3478:3478/udp \
-			-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
 			-v {{ matrix_synapse_config_dir_path }}:/data \
 			-v {{ matrix_synapse_run_path }}:/matrix-run \
 			-v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \
+			-e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \
 			{{ docker_matrix_image }}
 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse