Initial draft of matrix config

matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml

@@ -0,0 +1,86 @@
+---
+# The bare domain name which represents your Matrix identity.
+# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
+matrix_domain: 'cttue.de'
+
+# This is where Matrix services
+matrix_server_fqn_matrix: 'matrix.cttue.de'
+
+# This is where you access the Element web UI from (if enabled via `matrix_client_element_enabled: true`; enabled by default).
+# This and the Matrix FQN (see above) are expected to be on the same server.
+matrix_server_fqn_element: 'element.cttue.de'
+
+# The Matrix homeserver software to install.
+# See `roles/matrix-base/defaults/main.yml` for valid options.
+matrix_homeserver_implementation: synapse
+
+# docker already installed
+matrix_docker_installation_enabled: true
+
+# A secret used as a base, for generating various other secrets.
+# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
+matrix_homeserver_generic_secret_key: '0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iUET5UXgG3ku8IPbVsDvxKICQ'
+
+# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
+#
+# The playbook creates additional Postgres users and databases (one for each enabled service)
+# using this superuser account.
+matrix_postgres_connection_password: 'SIHm7TtFF1ntGxKu'
+
+#################### jwilder/nginx-proxy related ###################
+
+# Disable generation and retrieval of SSL certs
+matrix_ssl_retrieval_method: none
+
+# Configure Nginx to only use plain HTTP
+matrix_nginx_proxy_https_enabled: false
+
+# Don't bind any HTTP or federation port to the host
+matrix_nginx_proxy_container_http_host_bind_port: ''
+matrix_nginx_proxy_container_federation_host_bind_port: ''
+
+# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
+matrix_nginx_proxy_trust_forwarded_proto: true
+
+# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
+# Disable Coturn because it needs SSL certs
+# (Clients can, though exposing IP address, use Matrix.org TURN)
+matrix_coturn_enabled: true
+
+# All containers need to be on the same Docker network as nginx-proxy
+matrix_docker_network: 'cttue_web_services'
+
+matrix_nginx_proxy_container_extra_arguments:
+  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+  - '-e "VIRTUAL_PORT=8080"'
+  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+
+# change federation to 443
+matrix_synapse_http_listener_resource_names: ["client","federation"]
+matrix_federation_public_port: 443
+matrix_synapse_federation_port_enabled: false
+
+# Expose server's public rooms directory via federation
+matrix_synapse_allow_public_rooms_over_federation: true
+
+
+################ Custom synapse configuration (for OpenID SSO) ###############
+matrix_synapse_configuration_extension_yaml: |
+  oidc_providers:
+    - idp_id: cttue
+      idp_name: "Chaostreff Tübingen SSO"
+      issuer: "https://auth.cttue.de/auth/realms/cttue"
+      client_id: "matrix"
+      client_secret: "EItmul7WaoTW6rzxxnLpGS1G9OqzmSR8"
+      scopes: ["openid", "profile"]
+      authorization_endpoint: "https://auth.cttue.de/auth/realms/cttue/protocol/openid-connect/auth"
+      token_endpoint: "https://auth.cttue.de/auth/realms/cttue/protocol/openid-connect/token"
+      userinfo_endpoint: "https://auth.cttue.de/auth/realms/cttue/protocol/openid-connect/userinfo"
+      user_mapping_provider:
+        config:
+          localpart_template: "{{ user.preferred_username }}"
+          display_name_template: "{{ user.name }}"
+          email_template: "{{ user.email }}"
+