Initial work on Synapse 0.99/1.0 preparation

2025-06-25 18:57:50 +02:00 · 2019-02-05 11:07:08 +02:00
parent e06e5dd208
commit f6ebd4ce62
19 changed files with 416 additions and 130 deletions
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -8,7 +8,12 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"

 # Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
-matrix_synapse_container_expose_client_server_api_port: false
+matrix_synapse_container_expose_client_api_port: false
+
+# Controls whether the Synapse container exposes the Server/Server (Federation) API port (tcp/8048).
+# This is for the plain HTTP API. If you need Synapse to handle TLS encryption,
+# that would be on another port (tcp/8448) controlled by `matrix_synapse_tls_federation_listener_enabled`.
+matrix_synapse_container_expose_federation_api_port: false

 # Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999).
 matrix_appservice_irc_container_expose_client_server_api_port: false
@ -60,6 +65,17 @@ matrix_synapse_root_log_level: "INFO"
 matrix_synapse_rc_messages_per_second: 0.2
 matrix_synapse_rc_message_burst_count: 10.0

+# If you're serving Synapse behind an HTTPS-capable reverse-proxy,
+# you can disable TLS completely (`matrix_synapse_no_tls: true`).
+# Otherwise, you would need to provide certificate files to it.
+matrix_synapse_no_tls: false
+# Controls whether the TLS federation listener is enabled (tcp/8448).
+# Note that federation may potentially be enabled on tcp/8008 as well.
+# Only makes sense if federation is not disabled (`matrix_synapse_federation_enabled`).
+matrix_synapse_tls_federation_listener_enabled: "{{ not matrix_synapse_no_tls }}"
+matrix_synapse_tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt"
+matrix_synapse_tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key"
+
 # Enable this to allow Synapse to report utilization statistics about your server to matrix.org
 # (things like number of users, number of messages sent, uptime, load, etc.)
 matrix_synapse_report_stats: false
@ -95,6 +111,8 @@ matrix_synapse_cache_factor: 0.5

 # Controls whether Matrix Synapse will federate at all.
 # Disable this to completely isolate your server from the rest of the Matrix network.
+# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
+# but want to stop the TLS listener (port 8448).
 matrix_synapse_federation_enabled: true

 # A list of domain names that are allowed to federate with the given Matrix Synapse server.
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@ -58,6 +58,61 @@
    dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
    mode: 0644

+#
+# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it.
+# It won't be used for anything important, but it needs to be there.
+# See https://github.com/matrix-org/synapse/issues/4554
+#
+# Previously, Synapse would generate such certificate files and actually use them.
+# So existing installations already have them.
+#
+
+- name: Check if Synapse certificate exists
+  stat:
+    path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
+  register: matrix_synapse_certificate_stat
+
+- name: Ensure OpenSSL installed (RedHat)
+  yum:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'"
+
+- name: Ensure OpenSSL installed (Debian)
+  apt:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'"
+
+# The proper way to do this is by using a sequence of
+# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
+#
+# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
+# which is not available on CentOS 7 (at least).
+#
+# We'll do it in a more manual way.
+- name: Generate SSL certificate
+  command: |
+    openssl req -x509 \
+    -sha256 \
+    -newkey rsa:4096 \
+    -nodes \
+    -subj "/CN={{ hostname_matrix }}" \
+    -keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \
+    -out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \
+    -days 3650
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  when: "not matrix_synapse_certificate_stat.stat.exists"
+
+#
+# End of tasks related to making Synapse 0.99 happy.
+#
+
 - name: Ensure matrix-synapse.service installed
  template:
    src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2"
--- a/roles/matrix-synapse/tasks/validate_config.yml
+++ b/roles/matrix-synapse/tasks/validate_config.yml
@ -6,4 +6,14 @@
      You need to define a required configuration setting (`{{ item }}`) for using Synapse.
  when: "vars[item] == ''"
  with_items:
-    - "matrix_synapse_macaroon_secret_key"
+    - "matrix_synapse_macaroon_secret_key"
+
+- name: (Deprecation) Catch and report renamed settings
+  fail:
+    msg: >
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'}
+
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -1,19 +1,70 @@
 # vim:ft=yaml
-# PEM encoded X509 certificate for TLS.
-# You can replace the self-signed certificate that synapse
-# autogenerates on launch with your own SSL certificate + key pair
-# if you like.  Any required intermediary certificates can be
-# appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt"
+# PEM-encoded X509 certificate for TLS.
+# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
+# certificate, signed by a recognised Certificate Authority.
+#
+# See 'ACME support' below to enable auto-provisioning this certificate via
+# Let's Encrypt.
+#
+tls_certificate_path: "{{ matrix_synapse_tls_certificate_path }}"

-# PEM encoded private key for TLS
-tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key"
+# PEM-encoded private key for TLS
+tls_private_key_path: "{{ matrix_synapse_tls_private_key_path }}"

-# PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/data/{{ hostname_matrix }}.tls.dh"
+# ACME support: This will configure Synapse to request a valid TLS certificate
+# for your configured `server_name` via Let's Encrypt.
+#
+# Note that provisioning a certificate in this way requires port 80 to be
+# routed to Synapse so that it can complete the http-01 ACME challenge.
+# By default, if you enable ACME support, Synapse will attempt to listen on
+# port 80 for incoming http-01 challenges - however, this will likely fail
+# with 'Permission denied' or a similar error.
+#
+# There are a couple of potential solutions to this:
+#
+#  * If you already have an Apache, Nginx, or similar listening on port 80,
+#    you can configure Synapse to use an alternate port, and have your web
+#    server forward the requests. For example, assuming you set 'port: 8009'
+#    below, on Apache, you would write:
+#
+#    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
+#
+#  * Alternatively, you can use something like `authbind` to give Synapse
+#    permission to listen on port 80.
+#
+acme:
+    # ACME support is disabled by default. Uncomment the following line
+    # to enable it.
+    #
+    # enabled: true

-# Don't bind to the https port
-no_tls: False
+    # Endpoint to use to request certificates. If you only want to test,
+    # use Let's Encrypt's staging url:
+    #     https://acme-staging.api.letsencrypt.org/directory
+    #
+    # url: https://acme-v01.api.letsencrypt.org/directory
+
+    # Port number to listen on for the HTTP-01 challenge. Change this if
+    # you are forwarding connections through Apache/Nginx/etc.
+    #
+    # port: 80
+
+    # Local addresses to listen on for incoming connections.
+    # Again, you may want to change this if you are forwarding connections
+    # through Apache/Nginx/etc.
+    #
+    # bind_addresses: ['::', '0.0.0.0']
+
+    # How many days remaining on a certificate before it is renewed.
+    #
+    # reprovision_threshold: 30
+
+# If your server runs behind a reverse-proxy which terminates TLS connections
+# (for both client and federation connections), it may be useful to disable
+# All TLS support for incoming connections. Setting no_tls to True will
+# do so (and avoid the need to give synapse a TLS private key).
+#
+no_tls: {{ matrix_synapse_no_tls|to_json }}

 # List of allowed TLS fingerprints for this server to publish along
 # with the signing keys for this server. Other matrix servers that
@ -133,7 +184,8 @@ listeners:
    bind_addresses:
      - '0.0.0.0'
 {% endif %}
-{% if matrix_synapse_federation_enabled %}
+
+{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
  # Main HTTPS listener
  # For when matrix traffic is sent directly to synapse.
  -
@ -168,7 +220,7 @@ listeners:
    #     config: {}
 {% endif %}

-  # Unsecure HTTP listener,
+  # Unsecure HTTP listener for the Client API,
  # For when matrix traffic passes through loadbalancer that unwraps TLS.
  - port: 8008
    tls: false
@ -181,6 +233,21 @@ listeners:
      - names: [client]
        compress: false

+{% if matrix_synapse_federation_enabled %}
+  # Unsecure HTTP listener for the Federation API,
+  # For when matrix traffic passes through loadbalancer that unwraps TLS.
+  - port: 8048
+    tls: false
+    bind_addresses: ['::']
+    type: http
+
+    x_forwarded: true
+
+    resources:
+      - names: [federation]
+        compress: false
+{% endif %}
+
  # Turn on the twisted ssh manhole service on localhost on the given
  # port.
  # - port: 9000
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -28,11 +28,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
-			{% if matrix_synapse_federation_enabled %}
+			{% if matrix_synapse_container_expose_client_api_port %}
+			-p 127.0.0.1:8008:8008 \
+			{% endif %}
+			{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
 			-p 8448:8448 \
 			{% endif %}
-			{% if matrix_synapse_container_expose_client_server_api_port %}
-			-p 127.0.0.1:8008:8008 \
+			{% if matrix_synapse_federation_enabled and matrix_synapse_container_expose_federation_api_port %}
+			-p 127.0.0.1:8048:8048 \
 			{% endif %}
 			{% if matrix_synapse_container_expose_metrics_port %}
 			-p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \