From 69981787759ae04a2fced935a42fa4cd29e2b69b Mon Sep 17 00:00:00 2001
From: Mathias Teier <mathias.teier@gmail.com>
Date: Sun, 10 Jan 2021 17:40:52 +0100
Subject: [PATCH] Add configuration for Matrix/Synapse

---
 .gitignore                       |   2 +
 README.md                        |   8 ++-
 minecraft/docker-compose.yml     |   1 +
 nginx/playbook-nginx.yml         |   2 +-
 nginx/sites/nextcloud            |   1 +
 nginx/sites/synapse              |  25 +++++++
 nummus/docker-compose.yml        |   2 +-
 nummus/teardown.yml              |   2 +-
 synapse/config/.gitkeep          |   0
 synapse/config/log.yaml          |  22 ++++++
 synapse/docker-compose.yml       |  16 +++++
 synapse/generate-signing-key.py  |  25 +++++++
 synapse/homeserver.template.yaml | 112 +++++++++++++++++++++++++++++++
 synapse/start.yml                |  86 ++++++++++++++++++++++++
 synapse/stop.yml                 |   6 ++
 synapse/teardown.yml             |   7 ++
 ufw/playbook-ufw.yml             |   6 ++
 17 files changed, 319 insertions(+), 4 deletions(-)
 create mode 100644 nginx/sites/synapse
 create mode 100644 synapse/config/.gitkeep
 create mode 100644 synapse/config/log.yaml
 create mode 100644 synapse/docker-compose.yml
 create mode 100644 synapse/generate-signing-key.py
 create mode 100644 synapse/homeserver.template.yaml
 create mode 100644 synapse/start.yml
 create mode 100644 synapse/stop.yml
 create mode 100644 synapse/teardown.yml

diff --git a/.gitignore b/.gitignore
index a8ca3c1..d353862 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 .env
 minecraft/server.jar
 starbound/binaries
+synapse/config/homeserver.yaml
+synapse/config/matrix-signing.key
 !starbound/binaries/.gitkeep
\ No newline at end of file
diff --git a/README.md b/README.md
index 0f26ce7..22cbba1 100644
--- a/README.md
+++ b/README.md
@@ -15,4 +15,10 @@ To use the minecraft server, just copy the `server.jar` from `minecraft.net` to
 
 ## Starbound
 My Starbound container only works with the **GOG version!**
-After installing Starboud on your gaming machine, archive all files from `~/GOG Games/Starbound/game/` into `starbound/binaries/binaries.tar.gz` and then run `ansible-playbook starbound/start.yml`
\ No newline at end of file
+After installing Starboud on your gaming machine, archive all files from `~/GOG Games/Starbound/game/` into `starbound/binaries/binaries.tar.gz` and then run `ansible-playbook starbound/start.yml`
+
+## Matrix Synapse
+Before using Synapse you have to copy the file synapse/homserver.template.yaml to `synapse/config/homserver.yaml` and insert all missing values (like Shared registartion key)
+Secondly you have to generate the signing key by running the `generate-signing-key.py` script and placing it in `synapse/config/matrix-signing.key`. Please not that signedjson python module has to be installed.
+Thanks to Abel Luck for putting that script on GitHub Gist: [https://gist.github.com/abeluck/bb7b28fa75872212839e6fb3f07000d3]()
+After that you can just start Synapse by `ansible-playbook starbound/start.yml`
\ No newline at end of file
diff --git a/minecraft/docker-compose.yml b/minecraft/docker-compose.yml
index d4d62ab..295d647 100644
--- a/minecraft/docker-compose.yml
+++ b/minecraft/docker-compose.yml
@@ -3,6 +3,7 @@ services:
   minecraft:
     build:
       context: .
+    restart: always
     volumes:
       - /var/minecraft/world:/minecraft/world
       - /var/minecraft/ops.json:/minecraft/ops.json
diff --git a/nginx/playbook-nginx.yml b/nginx/playbook-nginx.yml
index ce95702..0b9068d 100644
--- a/nginx/playbook-nginx.yml
+++ b/nginx/playbook-nginx.yml
@@ -20,7 +20,7 @@
     shell: "rm -f /etc/nginx/sites-enabled/*"
 
   - name: Get Certificate
-    shell: certbot certonly --standalone --preferred-challenges http -m mathias.teier@icloud.com --agree-tos -n -d teier.eu -d cloud.teier.eu -d nummus.teier.eu -d www.teier.eu
+    shell: certbot certonly --standalone --preferred-challenges http -m mathias.teier@icloud.com --agree-tos -n -d teier.eu -d cloud.teier.eu -d nummus.teier.eu -d www.teier.eu -d collabora.teier.eu -d matrix.teier.eu
 
   - name: Install nginx server config
     copy:
diff --git a/nginx/sites/nextcloud b/nginx/sites/nextcloud
index 36cbe0f..6cb1a6b 100644
--- a/nginx/sites/nextcloud
+++ b/nginx/sites/nextcloud
@@ -29,5 +29,6 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options "SAMEORIGIN";
     }
 }
\ No newline at end of file
diff --git a/nginx/sites/synapse b/nginx/sites/synapse
new file mode 100644
index 0000000..a7c31ec
--- /dev/null
+++ b/nginx/sites/synapse
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name matrix.teier.eu;
+    return 301 https://$server_name:443$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+
+    # Federation Port
+    listen 8448 ssl http2;
+
+    ssl on;
+    ssl_certificate         /etc/letsencrypt/live/teier.eu/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/teier.eu/privkey.pem;
+
+    server_name matrix.teier.eu;
+
+    location ~* ^(\/_matrix|\/_synapse\/client) {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+
+        client_max_body_size 50M;
+    }
+}
diff --git a/nummus/docker-compose.yml b/nummus/docker-compose.yml
index f627843..078217d 100644
--- a/nummus/docker-compose.yml
+++ b/nummus/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2.4'
 services:
   nummus:
-    image: glenroy37/nummus:0.1-alpha
+    image: glenroy37/nummus:0.1.1-alpha
     environment:
       DB_HOST: mariadb
       DB_USER: nummus
diff --git a/nummus/teardown.yml b/nummus/teardown.yml
index 8fef6f2..57abdb7 100644
--- a/nummus/teardown.yml
+++ b/nummus/teardown.yml
@@ -3,5 +3,5 @@
   gather_facts: no
   tasks:
   tasks:
-  - name: Start Nummus
+  - name: Teardown Nummus
     shell: "cd /dc/nummus && docker-compose down"
\ No newline at end of file
diff --git a/synapse/config/.gitkeep b/synapse/config/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/synapse/config/log.yaml b/synapse/config/log.yaml
new file mode 100644
index 0000000..917fb9b
--- /dev/null
+++ b/synapse/config/log.yaml
@@ -0,0 +1,22 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+  synapse.storage.SQL:
+      # beware: increasing this to DEBUG will make synapse log sensitive
+      # information such as access tokens.
+      level: INFO
+
+root:
+  level: "INFO"
+  handlers: [console]
+
+disable_existing_loggers: false
\ No newline at end of file
diff --git a/synapse/docker-compose.yml b/synapse/docker-compose.yml
new file mode 100644
index 0000000..28c5e0b
--- /dev/null
+++ b/synapse/docker-compose.yml
@@ -0,0 +1,16 @@
+version: '2.4'
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    restart: always
+    healthcheck:
+      test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"]
+      interval: 1m
+      timeout: 10s
+      retries: 3
+    ports:
+      - 8008:8008
+    environment:
+      SYNAPSE_SERVER_NAME: matrix.teier.eu
+    volumes:
+      - /var/synapse:/data
\ No newline at end of file
diff --git a/synapse/generate-signing-key.py b/synapse/generate-signing-key.py
new file mode 100644
index 0000000..fd12939
--- /dev/null
+++ b/synapse/generate-signing-key.py
@@ -0,0 +1,25 @@
+# Generate a signing key for synapse from the command line
+#
+# Usage: python3 generate-signing-key.py
+#
+# You must have the signedjson package installed, pip3 install signedjson
+# You must use python3
+#
+# Author: Abel Luck <abel@guardianproject.info>
+# Updated: April 25 2019
+
+import random
+import string
+import io
+from signedjson.key import generate_signing_key, write_signing_keys
+
+
+def random_string(length):
+    return ''.join(random.choice(string.ascii_letters) for _ in range(length))
+
+
+key_id = "a_" + random_string(4)
+with io.StringIO() as f:
+    write_signing_keys(f, (generate_signing_key(key_id),),)
+    f.seek(0)
+    print(f.read())
diff --git a/synapse/homeserver.template.yaml b/synapse/homeserver.template.yaml
new file mode 100644
index 0000000..2af5633
--- /dev/null
+++ b/synapse/homeserver.template.yaml
@@ -0,0 +1,112 @@
+---
+## Server ##
+server_name: "INSERT DOMAIN HERE"
+pid_file: /homeserver.pid
+web_client: False
+soft_file_limit: 0
+
+## Ports ##
+listeners:
+  - port: 8008
+    tls: false
+    bind_addresses: ['::']
+    type: http
+    x_forwarded: false
+
+    resources:
+      - names: [client]
+        compress: true
+      - names: [federation]
+        compress: false
+
+## Database ##
+database:
+  name: "sqlite3"
+  args:
+    database: "/data/homeserver.db"
+
+## Performance ##
+event_cache_size: "10K"
+
+## Ratelimiting ##
+rc_messages_per_second: 0.2
+rc_message_burst_count: 10.0
+federation_rc_window_size: 1000
+federation_rc_sleep_limit: 10
+federation_rc_sleep_delay: 500
+federation_rc_reject_limit: 50
+federation_rc_concurrent: 3
+
+## Files ##
+media_store_path: "/data/media"
+uploads_path: "/data/uploads"
+max_upload_size: "50M"
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+# List of thumbnail to precalculate when an image is uploaded.
+thumbnail_sizes:
+- width: 96
+  height: 96
+  method: crop
+- width: 320
+  height: 240
+  method: scale
+- width: 800
+  height: 600
+  method: scale
+
+url_preview_enabled: False
+max_spider_size: "10M"
+
+## Turn ##
+enable_registration: False
+registration_shared_secret: "INSERT KEY HERE"
+bcrypt_rounds: 12
+allow_guest_access: False
+enable_group_creation: true
+
+# The list of identity servers trusted to verify third party
+# identifiers by this server.
+#
+# Also defines the ID server which will be called when an account is
+# deactivated (one will be picked arbitrarily).
+trusted_third_party_id_servers:
+    - matrix.org
+    - vector.im
+
+## Metrics ###
+enable_metrics: True
+report_stats: True
+
+## API Configuration ##
+
+room_invite_state_types:
+    - "m.room.join_rules"
+    - "m.room.canonical_alias"
+    - "m.room.avatar"
+    - "m.room.name"
+
+app_service_config_files: []
+
+macaroon_secret_key: "INSERT KEY HERE"
+expire_access_token: False
+
+## Signing Keys ##
+
+signing_key_path: "/data/matrix-signing.key"
+old_signing_keys: {}
+key_refresh_interval: "1d" # 1 Day.
+
+# The trusted servers to download signing keys from.
+
+suppress_key_server_warning: true
+perspectives:
+  servers:
+    "matrix.org":
+      verify_keys:
+        "ed25519:auto":
+          key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+  password_config:
+    enabled: true
\ No newline at end of file
diff --git a/synapse/start.yml b/synapse/start.yml
new file mode 100644
index 0000000..712ff95
--- /dev/null
+++ b/synapse/start.yml
@@ -0,0 +1,86 @@
+---
+- hosts: teier.eu
+  gather_facts: no
+  tasks:
+  - name: Install curl for healthcheck
+    apt: name=curl state=latest
+
+  - name: Check dc directory
+    stat:
+      path: /dc/synapse
+    register: synapse_dc_dir_stat
+
+  - name: Create synapse dc directory
+    file:
+      path: /dc/synapse
+      state: directory
+      mode: 0777
+      group: root
+      owner: root
+    when: synapse_dc_dir_stat.islnk is not defined
+
+  - name: Check data directory
+    stat:
+      path: /var/synapse
+    register: synapse_data_dir_stat
+
+  - name: Create synapse data directory
+    file:
+      path: /var/synapse
+      state: directory
+      mode: 0777
+      group: root
+      owner: root
+    when: synapse_data_dir_stat.islnk is not defined
+
+  - name: Check uploads directory
+    stat:
+      path: /var/synapse/uploads
+    register: synapse_upload_dir_stat
+
+  - name: Create synapse upload directory
+    file:
+      path: /var/synapse/uploads
+      state: directory
+      mode: 0777
+      group: root
+      owner: root
+    when: synapse_upload_dir_stat.islnk is not defined
+
+  - name: Check media directory
+    stat:
+      path: /var/synapse/media
+    register: synapse_media_dir_stat
+
+  - name: Create synapse media directory
+    file:
+      path: /var/synapse/media
+      state: directory
+      mode: 0777
+      group: root
+      owner: root
+    when: synapse_media_dir_stat.islnk is not defined
+
+  - name: Copy config
+    copy:
+      src: config/homeserver.yaml
+      dest: /var/synapse/homeserver.yaml
+
+  - name: Copy Log config
+    copy:
+      src: config/log.yaml
+      dest: /var/synapse/log.yaml
+
+  - name: Copy signing key
+    copy:
+      src: config/matrix-signing.key
+      dest: /var/synapse/matrix-signing.key
+
+
+  - name: Copy compose file
+    copy:
+      src: docker-compose.yml
+      dest: /dc/synapse
+
+  - name: Start Synapse
+    shell: "cd /dc/synapse && docker-compose up -d"
\ No newline at end of file
diff --git a/synapse/stop.yml b/synapse/stop.yml
new file mode 100644
index 0000000..e473fd6
--- /dev/null
+++ b/synapse/stop.yml
@@ -0,0 +1,6 @@
+---
+- hosts: teier.eu
+  gather_facts: no
+  tasks:
+  - name: Stop Synapse
+    shell: "cd /dc/synapse && docker-compose stop"
\ No newline at end of file
diff --git a/synapse/teardown.yml b/synapse/teardown.yml
new file mode 100644
index 0000000..70a6689
--- /dev/null
+++ b/synapse/teardown.yml
@@ -0,0 +1,7 @@
+---
+- hosts: teier.eu
+  gather_facts: no
+  tasks:
+  tasks:
+  - name: Teardown Synapse
+    shell: "cd /dc/synapse && docker-compose down"
\ No newline at end of file
diff --git a/ufw/playbook-ufw.yml b/ufw/playbook-ufw.yml
index d0e54cc..6028798 100644
--- a/ufw/playbook-ufw.yml
+++ b/ufw/playbook-ufw.yml
@@ -40,6 +40,12 @@
       rule: allow
       port: '21025'
       proto: tcp
+
+  - name: Allow Matrix federation
+    community.general.ufw:
+      rule: allow
+      port: '8448'
+      proto: tcp
   
   - name: Allow all access from RFC1918 networks to this host
     community.general.ufw: