From 0400006af1b5124a298df52037e1fc9e773e7ea0 Mon Sep 17 00:00:00 2001
From: Adrien Luxey <adrien.luxey@irisa.fr>
Date: Tue, 2 Jun 2020 12:54:54 +0200
Subject: [PATCH] synapse starts, but can't connect to db on host - investigate
 postgres access rights

---
 deployer/README.md                            |   1 +
 deployer/group_vars/all/vars.yml              |  55 ++++-----
 deployer/group_vars/all/vault.yml             | 106 +++++++++---------
 deployer/roles/build/tasks/backup.yml         |   3 +-
 deployer/roles/build/tasks/postgres.yml       |  42 +++----
 deployer/roles/build/tasks/synapse.yml        |  41 +++++++
 .../build/templates/drupal/Dockerfile.j2      |   2 +-
 .../templates/synapse/docker-compose.yml.j2   |  21 +---
 .../templates/synapse/homeserver.yaml.j2      |  12 +-
 .../build/templates/synapse/nginx.host.j2     |  17 +++
 deployer/roles/deploy/tasks/main.yml          |   9 ++
 deployer/roles/deploy/tasks/synapse.yml       |  11 ++
 12 files changed, 189 insertions(+), 131 deletions(-)
 create mode 100644 deployer/roles/deploy/tasks/synapse.yml

diff --git a/deployer/README.md b/deployer/README.md
index 044d7a9..89088fe 100644
--- a/deployer/README.md
+++ b/deployer/README.md
@@ -24,6 +24,7 @@ Python modules:
 * docker 
 * docker-compose 
 * pymysql 
+* psycopg2
 
 TODO: Ansible task to install that before the rest
 
diff --git a/deployer/group_vars/all/vars.yml b/deployer/group_vars/all/vars.yml
index 616a3dc..49ec234 100644
--- a/deployer/group_vars/all/vars.yml
+++ b/deployer/group_vars/all/vars.yml
@@ -13,7 +13,7 @@ wordpress:
 gitea:
   version: 1.11.4
 synapse:
-  version: v1.13.0-py3
+  version: v1.14.0-py3
 
 sites:
   # - slug: rdb # Shorthand name to use as directory/file name
@@ -107,27 +107,27 @@ sites:
   #   mysql_username: mts
   #   mysql_password: "{{ vault_mts_mysql_password }}"
 
-  - slug: gitea # Shorthand name to use as directory/file name
-    # The site URL (without www)
-    url: git.deuxfleurs.fr
-    # Ask nginx to redirect url to www
-    # Else, we redirect www to url
-    redirect_to_www: no
-    # What kind of site is that?
-    type: gitea
-    # Subnet addresses
-    subnet_cidr_address: 172.27.6.0/24
-    subnet_gateway_ip: 172.27.6.1
-    subnet_site_ip: 172.27.6.2
-    # User IDs
-    user_name: git
-    user_uid: 1007
-    user_group: git
-    user_gid: 1006
-    # MySQL
-    mysql_database: gitea
-    mysql_username: gitea
-    mysql_password: "{{ vault_gitea_mysql_password }}"
+  # - slug: gitea # Shorthand name to use as directory/file name
+  #   # The site URL (without www)
+  #   url: git.deuxfleurs.fr
+  #   # Ask nginx to redirect url to www
+  #   # Else, we redirect www to url
+  #   redirect_to_www: no
+  #   # What kind of site is that?
+  #   type: gitea
+  #   # Subnet addresses
+  #   subnet_cidr_address: 172.27.6.0/24
+  #   subnet_gateway_ip: 172.27.6.1
+  #   subnet_site_ip: 172.27.6.2
+  #   # User IDs
+  #   user_name: git
+  #   user_uid: 1007
+  #   user_group: git
+  #   user_gid: 1006
+  #   # MySQL
+  #   mysql_database: gitea
+  #   mysql_username: gitea
+  #   mysql_password: "{{ vault_gitea_mysql_password }}"
 
   - slug: synapse_test # Shorthand name to use as directory/file name
     # The site URL (without www)
@@ -137,6 +137,9 @@ sites:
     custom_landing: /vault/www/riot
     # What kind of site is that?
     type: synapse
+    # User IDs
+    user_uid: 33 # www-data
+    user_gid: 33 # www-data
     # Subnet addresses
     subnet_cidr_address: 172.27.7.0/24
     subnet_gateway_ip: 172.27.7.1
@@ -144,12 +147,14 @@ sites:
     # PostgreSQL
     postgres_database: synapse_test
     postgres_username: synapse_test
-    postgres_password: "{{ vault_synapse_test_psql_password }}"
+    postgres_password: "{{ vault_synapse_test_postgres_password }}"
     # SMTP
     contact_email: contact@zinz.dev 
     smtp_host: mail.gandi.net
-    smtp_port: 465 # Clear: 25, SSL: 465, STARTTLS: 587
+    smtp_port: 587 # Clear: 25, SSL: 465, STARTTLS: 587
     smtp_username: contact@zinz.dev 
-    smtp_password: "{{ vault_synapse_test_smtp_password }}"
+    smtp_password: "{{ vault_smtp_contact_at_zinz_dev }}"
     # Secrets
     registration_shared_secret: "{{ vault_synapse_test_registration_shared_secret }}"
+    # Others
+    max_upload_size: 20M
diff --git a/deployer/group_vars/all/vault.yml b/deployer/group_vars/all/vault.yml
index 80c32c7..a642afe 100644
--- a/deployer/group_vars/all/vault.yml
+++ b/deployer/group_vars/all/vault.yml
@@ -1,54 +1,54 @@
 $ANSIBLE_VAULT;1.1;AES256
-33316633336433356161393139393533626265633764643638636238323234333137333632623766
-6263353834383237326364623263323330643666313364390a313836343538653035386463623930
-34313331366236346636653461383238336163346331643563643164663836326364616639653965
-6139373138643236640a343661366461343530633866656261346631383061636264353765303738
-61363961356535656261303834626564336637613234353363396365636564333963313038333762
-62366236376539373031613235656565383564326466386263393138383861306238326135326262
-36326166303563383835623233373664646565636634393563663731346236336166653764393131
-35336466626434376437373364313062333739663831636636373132363261636331393762383163
-33393932393966326261383936623262643234366238323732346336633964373939613232353235
-64363731656165326363353065393739653561343861346631636462333237646431653335626361
-63326537333230383435646237663766383465393361646562313737303633393736386335373663
-32313238313232303561383539363731663435363730363362656233663338626139343965653337
-39303138356263623733363931353265626261323639356265663630663339393236383739343038
-37346239343939633437613030613264353035316166303730336437613836646465356431613331
-61396438356366626132613661336666653764626536373966386637343534326362323038363838
-62616462663430303439303239333738363565373065373061346436626532646438316363663866
-37393733366339303932623933656334626431633637623661336331633038336534633236336639
-34353465626238666433326466313337363236656238353162643930343637623562656637623731
-63613366646465356236306532303538636461653933383166633832363031633533646262666264
-36646439323463313134303865623664636463366139336231616265313931653532393538323161
-65393563346337326239353237366530356437666134626439613464356530633961656538326662
-36323438366338366130653432326365663731353837383861313266643431373633383462663630
-65646230633134613338303962643730303539633761386663626666353931663531663132663166
-64376531313738656666373638646238366166643536393430383865373134343937376434323566
-65393963636237363061623666636665613037613165323963343337343336303835303938636265
-61373032663835623630653938366438346633333335666236646234383238336466373931363039
-66353964666662366464363035643230643332373765323131333338393735626663343666323833
-62343731383163376632303965623964356137373034323536666533363130633564633936616130
-35333830303066316663393261356362376632316130303738323865373764613732616534613666
-31346636366439373632363232306133383861383230326338616438353664663638656265643961
-30633137633032666238323338313062356634303739346635333438316335653565353433356664
-61356166316236633762623765646530643235326234646636353762393464326236333334313334
-31383932613061613238303032396664333565346237373935313235653762306534326434333364
-63336237666533623037313061323365613335656462306361623536353938326234353434353866
-63636433633264653535386161323133653833626639666436613866363633396265316162383433
-66623838313164623834616562623336393737353063336538373237316335386532633531353932
-66303230363166343039313264633631626131306133646361643539323765663664353262633536
-30623262623133633563623933373239643637326434336331626630353161326533653138356537
-39646330666561333065613637663839313437363663313235366131656365373861323135353632
-65343562663836633233396538356330306132643265373261343763363530643539306232636166
-30646236313165623235616361626434326430396636623032393136626463356161306433343933
-64333930613463333037366534396439616662383338636338353835363965306666376630626436
-36336632363136366266313833383839366138653262643532316131663434643963656563623165
-61303565343832626561366137626566333536383664353163323032373836656332326631366530
-34323165636563323130376361356634656561623030333665313038306430396563353030326165
-36363563366236633132623566306534356130656166616533666139373034383336383130343534
-64666466663434356266333135333830303830386134376234333766646134636232363564663834
-64613035366637656262343366643136346631646332393163313064616333353735316662386437
-38396530343461303265366433366438343337646366313737663865333965353630653338326336
-33356433386333393164396131653635346564363563633134633962333039396331336362393231
-31386566633533323730643666303433333932356164393762316566376133663338636665643633
-34653234356165613463356432643538633235636465393733316333396564393166373062303563
-3565
+37633930663134356232643631336635303363303366623536366661313663376233316364343030
+6663366266383139613065613265343537613266373863640a393764653365363665316266366138
+39653639316232323336303432316163346163313863353832323436393637306662306635613261
+3163343533333132330a636337343537393363353336656531633439313963376136666565653233
+34663563373962303639653030396365396163343837613333303965393731356436373963636666
+35643238616136636137393339386534303436396636303536323838636264643265356334393537
+37366634313866343730346231636135636439623737653036313236336234663237343738313231
+37663964623263663430616231336363396436353430353366626133363832303035623765636336
+63346539616130326561626438383133316262626637653066613032343130393865663839353366
+37653231336130326237326332366637356230623063333632303337333361643738336132393665
+63383364623361333037343130336632343433353762353661653063336434633861303339333135
+66303934323232613134343332363239656230656534356234366336346436653565316638303466
+61303536626335656166303063343438343438383333386632303436646638663838613433393738
+61313265626138613631666166613161336564303463623064393535333232353632383239666130
+61376564613432616466313134306436646636353261653063613966663662356234336261303534
+35363266643134646565333534656335646138623461366363326365386661323663633939623962
+32616565363861383036666364306231316236613139323961393337633134306636356333626338
+32363264366265643935613931613536383930623833306437323136353130666430656535653133
+33396333616439643332396237366435363561333230386133323336353933366532336566333339
+36663037666232343634326462333565383030623633663964396236386434613763666465383265
+35323264663434616262356532316132636361303261303031643134303431663763336631303231
+30336663323966653636383234653037363634623861353132623437643266396430366132366137
+61646661383938623331323062363639353366306538353036373531306634393831626335313362
+63623436343134336436626430396162636561343336663233656137653638333830643735663338
+37366539663834396364313336626466373634643035393036373730643631366463383266343362
+64656438376237383838363461366335623165343733353734613037663530633133336436663335
+64323661363361626634646263663330646365326362323639656263663963383666363330656666
+38353432616661623530626631646565646433353463383232373962373264646137336135393939
+33356336656561653638373434373438616266393566643631376133663730363535396532343733
+38323030343339356566356132323634316664373831373763383635623438613731356561643861
+32626331303465663933303232633865666533613235663930633930623331363634373031356164
+38363238396633303963383436353865656139393939633736336466626335303635366234393564
+30643732363335386366333332653462396236633433373136633831356362303431663862363162
+39396334623137633762326565613037336539343132636230623830633831393732303666363436
+39656534396333396330333936363261613765313536396538333937303765313632336235326430
+63613163376465323465376135313464623261313234636461333535623965323364373536393532
+66623361343636336461643965363436353735353931333738646563373639356537626239616633
+32356230383266303464346665326365376365353965306332653038626230616336376132343937
+62343837626363623263383531623832333634376663346339626530366132633461353734666638
+63393462386435313130353938373937303163346232623832643637373038353663643163353337
+36333132653039303133616464396139336565343564356666653761616634646331393539326632
+34643731333235316433636633653964383039626232343538656539313730656437656261666435
+36356639616264363664666538306634666338373730666439643534313063363431343330616239
+65383930326334316230633638373864666438313734336335623464366439653431396630316665
+62653066323734393631633261386435306532643133613762363439623731633036343264316663
+66306437626164373764346536393363633063366637313065653363663964353766353763373364
+37393162373837626162623863343636326335633137356539306638386432383537326137386166
+35353162306237633834306536343461326633653462666431656164636164643831353938323663
+37343132333037653134633230613733363733633538643163663233363331363133303864383835
+30633031356330323866333465643536636335393065643438333666333032633239343133623238
+37363231376337396165633866646336643137363966373534326164376239643664313864356166
+33323066326664383133306535633763343532323830636232626131346431653862613836396364
+3761
diff --git a/deployer/roles/build/tasks/backup.yml b/deployer/roles/build/tasks/backup.yml
index 7adf120..43e0c28 100644
--- a/deployer/roles/build/tasks/backup.yml
+++ b/deployer/roles/build/tasks/backup.yml
@@ -62,6 +62,5 @@
   when: site.mysql_database is defined
 
 - name: "PostgreSQL Database backups"
-  block:
-    debug: msg="TODO PUTAIN BOSSE LÀ"
+  debug: msg="TODO PUTAIN BOSSE LÀ"
   when: site.postgres_database is defined
\ No newline at end of file
diff --git a/deployer/roles/build/tasks/postgres.yml b/deployer/roles/build/tasks/postgres.yml
index c758de1..da8f9b1 100644
--- a/deployer/roles/build/tasks/postgres.yml
+++ b/deployer/roles/build/tasks/postgres.yml
@@ -2,30 +2,20 @@
 # Needs variables:
 #   - site: dict describing the site install (cf group_vars/all/vars.yml)
 
-- name: "Create database {{ site.mysql_database }} if inexistent"
-  # mysql_db:
-  #   name: "{{ site.mysql_database }}"
-  #   state: present
-  #   # Credentials to log in MySQL
-  #   login_host: localhost
-  #   login_user: root
-  #   login_password: "{{ mysql_root_password }}"
+- name: "Create database {{ site.postgres_database }} if inexistent"
+  postgresql_db:
+    name: "{{ site.postgres_database }}"
+    state: present
+  become: yes
+  become_user: postgres
 
-
-# MySQL equivalent:
-# TODO: PostgreSQL?
-# create user <user>@<ip> identified by <pass>;
-# grant all on <db>.* to <user>@<ip>;
-- name: "Add database user {{ site.mysql_username }}@{{ site.subnet_site_ip }} and grant all privileges on {{ site.mysql_database }}"
-  # mysql_user:
-  #   # Credentials to log in MySQL
-  #   login_host: localhost
-  #   login_user: root
-  #   login_password: "{{ mysql_root_password }}"
-  #   # Credentials of the new db user
-  #   host: "{{ site.subnet_site_ip }}"
-  #   name: "{{ site.mysql_username }}"
-  #   password: "{{ site.mysql_password }}"
-  #   # Grants
-  #   priv: "{{ site.mysql_database }}.*:all"
-  #   state: present
\ No newline at end of file
+- name: "Add database user {{ site.postgres_username }}@{{ site.subnet_site_ip }} and grant all privileges on {{ site.postgres_database }}"
+  postgresql_user:
+    # Credentials of the new db user
+    name: "{{ site.postgres_username }}"
+    password: "{{ site.postgres_password }}"
+    db: "{{ site.postgres_database }}"
+    priv: ALL
+    # host: "{{ site.subnet_site_ip }}"
+  become: yes
+  become_user: postgres
\ No newline at end of file
diff --git a/deployer/roles/build/tasks/synapse.yml b/deployer/roles/build/tasks/synapse.yml
index f5e8518..c8b3185 100644
--- a/deployer/roles/build/tasks/synapse.yml
+++ b/deployer/roles/build/tasks/synapse.yml
@@ -11,6 +11,47 @@
   import_tasks: render.yml
   tags: render
 
+##########################
+# Generate configuration #
+##########################
+
+- name: "Create folder {{ site_data_path }}"
+  file: 
+    path: "{{ site_data_path }}"
+    state: directory
+    mode: "770"
+    group: "www-data"
+  tags: config
+# - name: "Set {{ site_data_path }} permissions"
+#   file:
+#     path: "{{ site_data_path }}"
+#     mode: '770'
+#     group: "www-data"
+#   become: true
+#   tags: config
+
+- name: "Copy homeserver.yaml to {{ site_data_path }}"
+  copy:
+    src: "{{ sites_path }}/{{ site.slug }}/homeserver.yaml"
+    dest: "{{ site_data_path }}/homeserver.yaml"
+    remote_src: yes
+  tags: config
+
+- name: "Let synapse generate missing configuration files"
+  docker_container:
+    name: synapse_config_generator
+    image: "matrixdotorg/synapse:{{ synapse.version }}"
+    command: "generate"
+    volumes:
+      - "{{ site_data_path }}:/data"
+    env: 
+      SYNAPSE_SERVER_NAME: "{{ site.url }}"
+      SYNAPSE_REPORT_STATS: "no"
+      UID: "{{ site.user_uid }}"
+      GID: "{{ site.user_gid }}"
+  tags: config
+
+
 ############################
 # PostgreSQL configuration #
 ############################
diff --git a/deployer/roles/build/templates/drupal/Dockerfile.j2 b/deployer/roles/build/templates/drupal/Dockerfile.j2
index 461ab87..6254ce8 100644
--- a/deployer/roles/build/templates/drupal/Dockerfile.j2
+++ b/deployer/roles/build/templates/drupal/Dockerfile.j2
@@ -10,4 +10,4 @@ RUN echo "\
 account default\n\
 host {{ site.subnet_gateway_ip }}\n\
 port 25\n\
-from php@{{ site.url }}\n" > /etc/msmtprc
\ No newline at end of file
+from php@{{ site.url }}\n" > /etc/msmtprc
diff --git a/deployer/roles/build/templates/synapse/docker-compose.yml.j2 b/deployer/roles/build/templates/synapse/docker-compose.yml.j2
index af36c92..2fbfabd 100644
--- a/deployer/roles/build/templates/synapse/docker-compose.yml.j2
+++ b/deployer/roles/build/templates/synapse/docker-compose.yml.j2
@@ -6,32 +6,17 @@ version: '3'
 
 services:
   site:
-    # build: site
-    image: matrixdotorg/synapse:{{ gitea.version }}
+    image: matrixdotorg/synapse:{{ synapse.version }}
     restart: unless-stopped
     environment:
       - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
-    #   APP_NAME: "Gitea: git with a cup of coffee"
-    #   DOMAIN: "{{ site.url }}"
-    #   SSH_DOMAIN: "{{ site.url }}"
-    #   ROOL_URL: "https://{{ site.url }}/"
-    #   USER_UID: "{{ site.user_uid }}"
-    #   USER_GID: "{{ site.user_gid }}"
-    #   DB_TYPE: mysql
-    #   DB_HOST: "{{ site.subnet_gateway_ip }}"
-    #   DB_USER: "{{ site.mysql_username }}"
-    #   DB_PASSWD: "{{ site.mysql_password }}"
-    #   DB_NAME: "{{ site.mysql_database }}"
+      - UID={{ site.user_uid }}
+      - GID={{ site.user_gid }}
     volumes: 
       - "{{ site_data_path }}:/data"
-    #   - "/home/git/.ssh:/data/git/.ssh"
-    #   - "/etc/timezone:/etc/timezone:ro"
-    #   - "/etc/localtime:/etc/localtime:ro"
     networks:
       net:
         ipv4_address: "{{ site.subnet_site_ip }}"
-    ports:
-      # - "127.0.0.1:2222:22" # SSH Passthrough
 
 networks:
   net:
diff --git a/deployer/roles/build/templates/synapse/homeserver.yaml.j2 b/deployer/roles/build/templates/synapse/homeserver.yaml.j2
index dea29ce..4025222 100644
--- a/deployer/roles/build/templates/synapse/homeserver.yaml.j2
+++ b/deployer/roles/build/templates/synapse/homeserver.yaml.j2
@@ -437,11 +437,11 @@ retention:
 # instance, if using certbot, use `fullchain.pem` as your certificate,
 # not `cert.pem`).
 #
-#tls_certificate_path: "/data/test.zinz.dev.tls.crt"
+#tls_certificate_path: "/data/{{ site.url }}.tls.crt"
 
 # PEM-encoded private key for TLS
 #
-#tls_private_key_path: "/data/test.zinz.dev.tls.key"
+#tls_private_key_path: "/data/{{ site.url }}.tls.key"
 
 # Whether to verify TLS server certificates for outbound federation requests.
 #
@@ -759,7 +759,7 @@ media_store_path: "/data/media_store"
 
 # The largest allowed upload size in bytes
 #
-#max_upload_size: 10M
+max_upload_size: {{ site.max_upload_size }}
 
 # Maximum number of pixels that will be thumbnailed
 #
@@ -1241,7 +1241,7 @@ form_secret: "{{ lookup('password', '/dev/null length=50') }}"
 
 # Path to the signing key to sign messages with
 #
-signing_key_path: "/data/test.zinz.dev.signing.key"
+signing_key_path: "/data/{{ site.url }}.signing.key"
 
 # The keys that the server used to sign messages with but won't use
 # to sign new messages.
@@ -1310,7 +1310,7 @@ trusted_key_servers:
 # Uncomment the following to disable the warning that is emitted when the
 # trusted_key_servers include 'matrix.org'. See above.
 #
-#suppress_key_server_warning: true
+suppress_key_server_warning: true
 
 # The signing keys to use when acting as a trusted key server. If not specified
 # defaults to the server signing key.
@@ -1650,7 +1650,7 @@ email:
   # Note that the placeholder must be written '%(app)s', including the
   # trailing 's'.
   #
-  #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
+  notif_from: "Your Friendly %(app)s homeserver <noreply@{{ site.url }}>"
 
   # app_name defines the default value for '%(app)s' in notif_from. It
   # defaults to 'Matrix'.
diff --git a/deployer/roles/build/templates/synapse/nginx.host.j2 b/deployer/roles/build/templates/synapse/nginx.host.j2
index cfc2378..62ac185 100644
--- a/deployer/roles/build/templates/synapse/nginx.host.j2
+++ b/deployer/roles/build/templates/synapse/nginx.host.j2
@@ -38,7 +38,24 @@ server {
   include snippets/header-params_server.conf;
   location /_matrix {
     include snippets/header-params_location.conf;
+    client_max_body_size {{ site.max_upload_size }};
 
     proxy_pass http://{{ site.subnet_site_ip }}:8008;
   }
 }
+
+server {
+  listen 8448 ssl;
+  listen [::]:8448 ssl;
+  server_name {{ site.url }};
+
+  include snippets/ssl-params.conf;
+  ssl_certificate /etc/letsencrypt/live/zinz.dev/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/zinz.dev/privkey.pem;
+
+  include snippets/header-params_server.conf;
+  location / {
+    include snippets/header-params_location.conf;
+    proxy_pass http://{{ site.subnet_site_ip }}:8008;
+  }
+}
\ No newline at end of file
diff --git a/deployer/roles/deploy/tasks/main.yml b/deployer/roles/deploy/tasks/main.yml
index ee25f46..c2475ea 100644
--- a/deployer/roles/deploy/tasks/main.yml
+++ b/deployer/roles/deploy/tasks/main.yml
@@ -23,3 +23,12 @@
     loop_var: site
   when: site.type == "gitea"
   tags: gitea
+
+
+- name: Deploy Synapse sites
+  include_tasks: synapse.yml
+  loop: "{{ sites }}"
+  loop_control:
+    loop_var: site
+  when: site.type == "synapse"
+  tags: synapse
\ No newline at end of file
diff --git a/deployer/roles/deploy/tasks/synapse.yml b/deployer/roles/deploy/tasks/synapse.yml
new file mode 100644
index 0000000..a7ec8f0
--- /dev/null
+++ b/deployer/roles/deploy/tasks/synapse.yml
@@ -0,0 +1,11 @@
+---
+# Needs variables:
+#   - site: dict describing the site install (cf group_vars/all/vars.yml)
+
+- name: Include docker tasks
+  include_tasks: docker.yml
+  tags: docker 
+
+- name: Include nginx tasks
+  include_tasks: nginx.yml 
+  tags: nginx