diff --git a/matrix-synapse-riot/README.md b/matrix-synapse-riot/README.md index 7703a97..72d43f0 100644 --- a/matrix-synapse-riot/README.md +++ b/matrix-synapse-riot/README.md @@ -1,13 +1,14 @@ Matrix Synapse + Riot -=================== +===================== ## Provision Matrix homeserver with Riot frontend We will be using the following tools and services: -* [Digital Ocean](https://www.digitalocean.com) as the virtual machine provider +* [Digital Ocean](https://www.digitalocean.com) as the virtual machine and or DNS provider * [Terraform](https://www.terraform.io) to provision the cloud servers * [Let's Encrypt](https://letsencrypt.org) to get SSL certificates for HTTPS +* [Proxmox](https://www.proxmox.com) as self-hosted virtual machine option The following steps assume you have a Digital Ocean account. @@ -26,18 +27,23 @@ The following steps assume you have a Digital Ocean account. 1. Then store the domain name in your local environment: - echo -n YOUR_DOMAIN_NAME > .keys/domain_name + echo -n YOUR_DOMAIN_NAME > .keys/domain_name 1. Obtain a read-write access token from your Digital Ocean account's `API` tab, then store it in your local environment: - echo -n YOUR_DIGITAL_OCEAN_ACCESS_TOKEN > .keys/do_token + echo -n YOUR_DIGITAL_OCEAN_ACCESS_TOKEN > .keys/do_token -1. Generate RSA keys to access your Digital Ocean VMs: +1. Generate RSA keys to access your Matrix VM: - ssh-keygen -t rsa -f .keys/id_rsa + ssh-keygen -t rsa -f .keys/id_rsa - Add the SSH key to your Digital Ocean account under `Settings > Security`, then copy the +## Digital Ocean Specific Steps +1. Rename main-digital-ocean.tf.txt to main.tf + + mv main-digital-ocean.tf.txt main.tf + +1. Add the SSH key to your Digital Ocean account under `Settings > Security`, then copy the SSH fingerprint to your local environment: echo -n YOUR_SSH_FINGERPRINT > .keys/ssh_fingerprint @@ -45,29 +51,79 @@ The following steps assume you have a Digital Ocean account. 1. [Download Terraform](https://www.terraform.io/intro/getting-started/install.html), add it to your path. On Linux it would look something like this: - https://releases.hashicorp.com/terraform/0.11.10/terraform_0.11.10_linux_amd64.zip - unzip terraform_0.11.10_linux_amd64.zip - mv terraform /usr/bin + wget https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip + unzip terraform_0.11.13_linux_amd64.zip + mv terraform /usr/local/bin + + Then run initialization from our `terraform` working directory: + + terraform init + +## Proxmox Specific Steps +1. Follow Proxmox steps to set up Debian Cloud-Init image [here](https://pve.proxmox.com/wiki/Cloud-Init_Support) + Use Debian image from [here](https://cdimage.debian.org/cdimage/openstack/current-9/) + Name the template `Deb9Cloud-InitTemplate` + +1. Rename main-digital-ocean.tf.txt to main.tf + + mv main-proxmox.tf.txt main.tf + +1. Set your host IP information + + echo -n YOUR_IPV4_ADDRESS > .keys/interface_ip + echo -n YOUR_IPV4_GATEWAY > .keys/interface_gw + echo -n YOUR_IPV4_NETMASK > .keys/interface_ip_netmask (for example 24) + echo -n YOUR_IPV6_ADDRESS > .keys/interface_ip6 + echo -n YOUR_IPV6_GATEWAY > .keys/interface_gw6 + echo -n YOUR_IPV6_NETMASK > .keys/interface_ip6_netmask (for example 64) + +1. Set your DNS resolver + + echo -n YOUR_RESOLVER_IP_ADDRESS > .keys/nameserver + +1. [Download Terraform](https://www.terraform.io/intro/getting-started/install.html), add it to + your path. On Linux it would look something like this: + + wget https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip + unzip terraform_0.11.13_linux_amd64.zip + mv terraform /usr/local/bin + + Install the Proxmox plug-in + + go get github.com/Telmate/terraform-provider-proxmox/cmd/terraform-provider-proxmox + go get github.com/Telmate/terraform-provider-proxmox/cmd/terraform-provisioner-proxmox + go install github.com/Telmate/terraform-provider-proxmox/cmd/terraform-provider-proxmox + go install github.com/Telmate/terraform-provider-proxmox/cmd/terraform-provisioner-proxmox + mkdir -p ~/.terraform.d/plugins + cp ~/go/bin/terraform-provider-proxmox ~/go/bin/terraform-provisioner-proxmox ~/.terraform.d/plugins/ + + To prevent timeout errors change TaskStatusCheckInterval to 60 seconds in `~/go/src/github.com/Telmate/proxmox-api-go/proxmox/client.go` + + + Then run initialization from our `terraform` working directory: - terraform init + terraform init +## Provision the server 1. Provision the server by running: - terraform apply + terraform apply - By default, this will set up the frontend to be accessible from the internet and cjdns + By default, this will set up the frontend to be accessible from the internet, cjdns, and yggdrasil - You may also choose to not install cjdns by changing the `cjdns` variable to `false`, for example: + You may also choose to not install cjdns and or Yggdrasil by changing their variables to `false`, for example: - terraform apply -var "cjdns=false" + terraform apply -var "cjdns=false" -var "yggdrasil=false" -1. From your browser, login to your Digital Ocean dashboard and find your new VMs tagged with - `matrix-synapse-riot`. When it is done you will see a temporary password. At your first login you will +1. From your browser, login to your dashboard and find your new VM. + When it is done you will see a temporary password. At your first login you will be prompted to change your password. We recommmend that you do not delete your access token as it is needed to renew Let's Encrypt certificates +1. Add peers to your cjdns and Yggdrasil config files. + ## Maintaining and updating For the below instructions we will be using the `tomesh.net` as an example. Please substitute `tomesh.net` with @@ -77,19 +133,9 @@ the domain name you are setting up. 1. SSH into **matrix.tomesh.net** -1. Enter the `virtualenv` as the `synapse` user: - - sudo -i -u synapse - cd ~/.synapse - source ./bin/activate - -1. Stop the Synapse server with `synctl stop` +1. Update Synapse using Debian's apt command -1. Update with the following command where `VERSION` can be a branch like `master` or `develop`, or a release tag like `v0.34.0`, or a commit hash: - - pip install --upgrade --process-dependency-links https://github.com/matrix-org/synapse/tarball/VERSION - -1. Start the Synapse server again with `synctl start` + sudo apt update && sudo apt dist-upgrade -y ### Updating Riot Web client @@ -99,54 +145,22 @@ the domain name you are setting up. 1. Download the pre-compiled [Riot Web release](https://github.com/vector-im/riot-web/releases): - wget https://github.com/vector-im/riot-web/releases/download/v0.17.8/riot-v0.17.8.tar.gz + wget https://github.com/vector-im/riot-web/releases/download/v1.3.0/riot-v1.3.0.tar.gz + +1. Backup config file + cp /var/www/chat.tomesh.net/public/config.json /root/riot-config.json 1. Remove old Riot client: - rm -r /var/www/chat.tomesh.net/public/* - -1. Extract **riot-v0.17.8.tar.gz** into **/var/www/chat.tomesh.net/public**: - - tar xf riot-v0.17.8.tar.gz -C /var/www/chat.tomesh.net/public --strip-components 1 - -1. Create **config.json** in /var/www/chat.tomesh.net/public/ with the following lines, so it is used in place of the default **config.sample.json**: - - { - "default_hs_url": "https://matrix.tomesh.net", - "default_is_url": "https://vector.im", - "disable_custom_urls": false, - "disable_guests": false, - "disable_login_language_selector": false, - "disable_3pid_login": false, - "brand": "Riot", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", - "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html", - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", - "features": { - "feature_groups": "labs", - "feature_pinning": "labs" - }, - "default_federate": true, - "welcomePageUrl": "home.html", - "default_theme": "light", - "roomDirectory": { - "servers": [ - "tomesh.net", - "matrix.org" - ] - }, - "welcomeUserId": "@riot-bot:matrix.org", - "piwik": { - "url": "https://piwik.riot.im/", - "whitelistedHSUrls": ["https://matrix.org"], - "whitelistedISUrls": ["https://vector.im", "https://matrix.org"], - "siteId": 1 - }, - "enable_presence_by_hs_url": { - "https://matrix.org": false - } - } + rm -r /var/www/chat.tomesh.net/public/* + +1. Extract **riot-v1.3.0.tar.gz** into **/var/www/chat.tomesh.net/public**: + + tar xf riot-v1.3.0.tar.gz -C /var/www/chat.tomesh.net/public --strip-components 1 + +1. Restore config file + + cp /root/riot-config.json /var/www/chat.tomesh.net/public/config.json 1. Run `chown -R www-data:www-data /var/www/` to ensure that www-data have full access @@ -158,32 +172,26 @@ the domain name you are setting up. 1. Run the query to make the user an admin replace USERNAME with the username of the user: - UPDATE users SET admin=1 WHERE name LIKE '@USERNAME:tomesh.net'; + UPDATE users SET admin=1 WHERE name LIKE '@USERNAME:tomesh.net'; -### Purging old posts and media files from one year ago +### Purging old posts and media files from one year ago to reclaim disk space -1. Login as an admin user at https://matrix.tomesh.net and copy your `Access token` +1. Login as an admin user at https://chat.tomesh.net and copy your `Access token` 1. SSH into **matrix.tomesh.net** -1. Switch to the synapse user `sudo -i -u synapse` - -1. Enter the `.synapse` directory `cd ~/.synapse/` - 1. Put your `Access token` into a variable called `access_token`: - access_token=ABCD1234... + access_token=ABCD1234... 1. Run the API call to purge old posts (e.g. `#tomesh:tomesh.net` channel with the `Internal room ID:` `!FsFLbKGMcUXEMBxZdu:tomesh.net`). To purge another room, replace the ID with that room's ID: - curl -XPOST -d '{"delete_local_events": true, "purge_up_to_ts": '$(echo $(($(date --date="1 year ago" -u +%s%N)/1000000)))' }' 'http://localhost:8008/_matrix/client/r0/admin/purge_history/!FsFLbKGMcUXEMBxZdu:tomesh.net?access_token='$access_token + curl -XPOST -d '{"delete_local_events": true, "purge_up_to_ts": '$(echo $(($(date --date="1 year ago" -u +%s%N)/1000000)))' }' 'http://localhost:8008/_matrix/client/r0/admin/purge_history/!FsFLbKGMcUXEMBxZdu:tomesh.net?access_token='$access_token 1. Optionally you can remove all remote content by running: - curl -XPOST -d '{}' "http://localhost:8008/_matrix/client/r0/admin/purge_media_cache?before_ts=$(echo $(($(date -u +%s%N)/1000000)))&access_token=$access_token"` - -1. Logout of the synapse user + curl -XPOST -d '{}' "http://localhost:8008/_matrix/client/r0/admin/purge_media_cache?before_ts=$(echo $(($(date -u +%s%N)/1000000)))&access_token=$access_token" 1. Switch to Postgres user `sudo -i -u postgres` @@ -191,9 +199,15 @@ the domain name you are setting up. 1. Run the command `VACUUM;` -1. Logout of the database and the Postgres user and return back to Synapse shell +1. Logout of the database and the Postgres user and return back to your shell + +1. Switch to the root user `sudo -i` + +1. Go into Synapse's media storage directory + + cd /var/lib/matrix-synapse/media/local_content/ 1. Delete old media files by running the following commands: - cd ~/.synapse/media_store/local_content - find * -mindepth 1 -mtime +365 -delete + cd /var/lib/matrix-synapse/media/local_content/ + find * -mindepth 1 -mtime +365 -delete \ No newline at end of file diff --git a/matrix-synapse-riot/terraform/.keys/interface_gw b/matrix-synapse-riot/terraform/.keys/interface_gw new file mode 100644 index 0000000..e69de29 diff --git a/matrix-synapse-riot/terraform/.keys/interface_gw6 b/matrix-synapse-riot/terraform/.keys/interface_gw6 new file mode 100644 index 0000000..e69de29 diff --git a/matrix-synapse-riot/terraform/.keys/interface_ip b/matrix-synapse-riot/terraform/.keys/interface_ip new file mode 100644 index 0000000..e69de29 diff --git a/matrix-synapse-riot/terraform/.keys/interface_ip6 b/matrix-synapse-riot/terraform/.keys/interface_ip6 new file mode 100644 index 0000000..e69de29 diff --git a/matrix-synapse-riot/terraform/.keys/interface_ip6_netmask b/matrix-synapse-riot/terraform/.keys/interface_ip6_netmask new file mode 100644 index 0000000..4b6f9c3 --- /dev/null +++ b/matrix-synapse-riot/terraform/.keys/interface_ip6_netmask @@ -0,0 +1 @@ +64 \ No newline at end of file diff --git a/matrix-synapse-riot/terraform/.keys/interface_ip_netmask b/matrix-synapse-riot/terraform/.keys/interface_ip_netmask new file mode 100644 index 0000000..cabf43b --- /dev/null +++ b/matrix-synapse-riot/terraform/.keys/interface_ip_netmask @@ -0,0 +1 @@ +24 \ No newline at end of file diff --git a/matrix-synapse-riot/terraform/.keys/ipv6_yggdrasil b/matrix-synapse-riot/terraform/.keys/ipv6_yggdrasil new file mode 100644 index 0000000..ec747fa --- /dev/null +++ b/matrix-synapse-riot/terraform/.keys/ipv6_yggdrasil @@ -0,0 +1 @@ +null \ No newline at end of file diff --git a/matrix-synapse-riot/terraform/.keys/nameserver b/matrix-synapse-riot/terraform/.keys/nameserver new file mode 100644 index 0000000..09472b7 --- /dev/null +++ b/matrix-synapse-riot/terraform/.keys/nameserver @@ -0,0 +1 @@ +1.1.1.1 \ No newline at end of file diff --git a/matrix-synapse-riot/terraform/main.tf b/matrix-synapse-riot/terraform/main-digital-ocean.tf.txt similarity index 72% rename from matrix-synapse-riot/terraform/main.tf rename to matrix-synapse-riot/terraform/main-digital-ocean.tf.txt index e281322..d65efe9 100644 --- a/matrix-synapse-riot/terraform/main.tf +++ b/matrix-synapse-riot/terraform/main-digital-ocean.tf.txt @@ -97,7 +97,7 @@ resource "digitalocean_record" "matrix-srv" { # Run after DNS records are configured resource "null_resource" "matrix-server" { - depends_on = ["digitalocean_record.matrix"] + depends_on = ["digitalocean_record.matrix", "digitalocean_droplet.matrix-server"] connection { host = "${digitalocean_droplet.matrix-server.ipv4_address}" user = "root" @@ -144,7 +144,7 @@ resource "digitalocean_record" "chat-cjdns" { type = "AAAA" name = "h.chat" value = "${file(".keys/ipv6_cjdns")}" - ttl = "86400" + ttl = "3600" } resource "digitalocean_record" "chat-cjdns-caa" { @@ -156,7 +156,7 @@ resource "digitalocean_record" "chat-cjdns-caa" { flags = 0 tag = "issue" value = "letsencrypt.org." - ttl = "86400" + ttl = "3600" } # Create DNS records for Matrix cjdns @@ -167,7 +167,7 @@ resource "digitalocean_record" "matrix-cjdns" { type = "AAAA" name = "h.matrix" value = "${file(".keys/ipv6_cjdns")}" - ttl = "86400" + ttl = "3600" } resource "digitalocean_record" "matrix-cjdns-caa" { @@ -179,12 +179,81 @@ resource "digitalocean_record" "matrix-cjdns-caa" { flags = 0 tag = "issue" value = "letsencrypt.org." - ttl = "86400" + ttl = "3600" +} + +# Set up Yggdrasil if selected +resource "null_resource" "matrix-server-yggdrasil" { + count = "${var.yggdrasil != "false" ? 1 : 0}" + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + connection { + host = "${digitalocean_droplet.matrix-server.ipv4_address}" + user = "root" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Set up yggdrasil + provisioner "remote-exec" { + inline = [ + "/tmp/matrix-server/bootstrap-yggdrasil.sh ${file(var.domain_name)}", + ] + } + # Get the yggdrasil IPv6 + provisioner "local-exec" { + command = "scp -B -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} root@${digitalocean_droplet.matrix-server.ipv4_address}:/tmp/matrix-server/ipv6-yggdrasil .keys/ipv6_yggdrasil" + } +} + +# Create DNS record for Chat yggdrasil +resource "digitalocean_record" "chat-yggdrasil" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "y.chat" + value = "${file(".keys/ipv6_yggdrasil")}" + ttl = "3600" +} + +resource "digitalocean_record" "chat-yggdrasil-caa" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "y.chat" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Create DNS records for Matrix yggdrasil +resource "digitalocean_record" "matrix-yggdrasil" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "y.matrix" + value = "${file(".keys/ipv6_yggdrasil")}" + ttl = "3600" +} + +resource "digitalocean_record" "matrix-yggdrasil-caa" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "y.matrix" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" } # Use dehydrated to use DNS-01 to validate the hostname for Let's Encrypt certificate. resource "null_resource" "matrix-server-dehydrated" { - depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] connection { host = "${digitalocean_droplet.matrix-server.ipv4_address}" user = "root" @@ -222,19 +291,12 @@ resource "null_resource" "matrix-server-cleanup" { } # Reboot provisioner "local-exec" { - command = "ssh -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} root@${digitalocean_droplet.matrix-server.ipv4_address} '(sleep 2; reboot)&'" + command = "ssh -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} root@${digitalocean_droplet.matrix-server.ipv4_address} '(chage -d 0 sysadmin; sleep 2; reboot)&'" } } # Print summary -output "digital_ocean_droplets" { - depends_on = ["digitalocean_record.*"] - value = [ - "${digitalocean_droplet.matrix-server.name}: ${digitalocean_droplet.matrix-server.status}", - ] -} - output "ssh_access" { depends_on = ["null_resource.matrix-server-cleanup"] value = [ diff --git a/matrix-synapse-riot/terraform/main-proxmox.tf.txt b/matrix-synapse-riot/terraform/main-proxmox.tf.txt new file mode 100644 index 0000000..188a562 --- /dev/null +++ b/matrix-synapse-riot/terraform/main-proxmox.tf.txt @@ -0,0 +1,308 @@ +# Matrix server Proxmox VM +resource "proxmox_vm_qemu" "matrix-server" { + name = "matrix.${file(var.domain_name)}" + desc = "matrix server" + target_node = "mastervm" + + clone = "Deb9Cloud-InitTemplate" + storage = "local" + disk_gb = 100 + cores = 4 + sockets = 1 + memory = 4096 + nic = "virtio" + bridge = "vmbr0" + + ciuser = "sysadmin" + ssh_user = "sysadmin" + ssh_private_key = "${file(var.pvt_key)}" + sshkeys = "${file(var.pub_key)}" + os_type = "cloud-init" + ipconfig0 = "ip=${file(var.interface_ip)}/${file(var.interface_ip_netmask)},gw=${file(var.interface_gw)},ip6=${file(var.interface_ip6)}/${file(var.interface_ip6_netmask)},gw6=${file(var.interface_gw6)}" + + nameserver = "${file(var.nameserver)}" + searchdomain = "${file(var.domain_name)}" + + provisioner "file" { + source = "matrix-server" + destination = "/tmp" + } + provisioner "remote-exec" { + inline = [ + "chmod +x /tmp/matrix-server/*.sh", + "sudo /tmp/matrix-server/bootstrap.sh ${file(var.domain_name)} ${file(var.nameserver)}", + ] + } +} + +# DNS records for Matrix +resource "digitalocean_record" "matrix" { + domain = "${file(var.domain_name)}" + type = "A" + name = "matrix" + value = "${file(var.interface_ip)}" + ttl = "3600" +} +resource "digitalocean_record" "matrix-v6" { + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "matrix" + value = "${file(var.interface_ip6)}" + ttl = "3600" +} +resource "digitalocean_record" "matrix-caa" { + domain = "${file(var.domain_name)}" + type = "CAA" + name = "matrix" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# DNS records for Riot Web frontend +resource "digitalocean_record" "chat" { + domain = "${file(var.domain_name)}" + type = "A" + name = "chat" + value = "${file(var.interface_ip)}" + ttl = "3600" +} +resource "digitalocean_record" "chat-v6" { + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "chat" + value = "${file(var.interface_ip6)}" + ttl = "3600" +} +resource "digitalocean_record" "chat-caa" { + domain = "${file(var.domain_name)}" + type = "CAA" + name = "chat" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Matrix SRV record +resource "digitalocean_record" "matrix-srv" { + domain = "${file(var.domain_name)}" + type = "SRV" + name = "_matrix._tcp" + priority = "10" + weight = "0" + port = "8448" + value = "matrix.${file(var.domain_name)}." + ttl = "3600" +} + +# Run after DNS records are configured +resource "null_resource" "matrix-server" { + depends_on = ["digitalocean_record.matrix", "proxmox_vm_qemu.matrix-server"] + connection { + host = "${file(var.interface_ip)}" + user = "sysadmin" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Set up services such as NGINX, Let's Encrypt, Matrix, etc. + provisioner "remote-exec" { + inline = [ + "sudo /tmp/matrix-server/bootstrap-post-dns.sh ${file(var.domain_name)} ${file(var.do_token)}", + ] + } +} + +# Set up cjdns if selected +resource "null_resource" "matrix-server-cjdns" { + count = "${var.cjdns != "false" ? 1 : 0}" + depends_on = ["null_resource.matrix-server"] + connection { + host = "${file(var.interface_ip)}" + user = "sysadmin" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Set up cjdns + provisioner "remote-exec" { + inline = [ + "sudo /tmp/matrix-server/bootstrap-cjdns.sh ${file(var.domain_name)}", + ] + } + # Get the cjdns IPv6 + provisioner "local-exec" { + command = "scp -B -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} sysadmin@${file(var.interface_ip)}:/tmp/matrix-server/ipv6-cjdns .keys/ipv6_cjdns" + } +} + +# Create DNS record for Chat cjdns +resource "digitalocean_record" "chat-cjdns" { + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + count = "${var.cjdns != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "h.chat" + value = "${file(".keys/ipv6_cjdns")}" + ttl = "3600" +} + +resource "digitalocean_record" "chat-cjdns-caa" { + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + count = "${var.cjdns != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "h.chat" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Create DNS records for Matrix cjdns +resource "digitalocean_record" "matrix-cjdns" { + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + count = "${var.cjdns != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "h.matrix" + value = "${file(".keys/ipv6_cjdns")}" + ttl = "3600" +} + +resource "digitalocean_record" "matrix-cjdns-caa" { + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + count = "${var.cjdns != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "h.matrix" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Set up Yggdrasil if selected +resource "null_resource" "matrix-server-yggdrasil" { + count = "${var.yggdrasil != "false" ? 1 : 0}" + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server"] + connection { + host = "${file(var.interface_ip)}" + user = "sysadmin" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Set up yggdrasil + provisioner "remote-exec" { + inline = [ + "sudo /tmp/matrix-server/bootstrap-yggdrasil.sh ${file(var.domain_name)}", + ] + } + # Get the yggdrasil IPv6 + provisioner "local-exec" { + command = "scp -B -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} sysadmin@${file(var.interface_ip)}:/tmp/matrix-server/ipv6-yggdrasil .keys/ipv6_yggdrasil" + } +} + +# Create DNS record for Chat yggdrasil +resource "digitalocean_record" "chat-yggdrasil" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "y.chat" + value = "${file(".keys/ipv6_yggdrasil")}" + ttl = "3600" +} + +resource "digitalocean_record" "chat-yggdrasil-caa" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "y.chat" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Create DNS records for Matrix yggdrasil +resource "digitalocean_record" "matrix-yggdrasil" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "AAAA" + name = "y.matrix" + value = "${file(".keys/ipv6_yggdrasil")}" + ttl = "3600" +} + +resource "digitalocean_record" "matrix-yggdrasil-caa" { + depends_on = ["null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + count = "${var.yggdrasil != "false" ? 1 : 0}" + domain = "${file(var.domain_name)}" + type = "CAA" + name = "y.matrix" + flags = 0 + tag = "issue" + value = "letsencrypt.org." + ttl = "3600" +} + +# Use dehydrated to use DNS-01 to validate the hostname for Let's Encrypt certificate. +resource "null_resource" "matrix-server-dehydrated" { + depends_on = ["null_resource.matrix-server-cjdns", "null_resource.matrix-server-yggdrasil", "null_resource.matrix-server"] + connection { + host = "${file(var.interface_ip)}" + user = "sysadmin" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Get an valid SSL Cert from Let's Encrypt + provisioner "remote-exec" { + inline = [ + "sudo /tmp/matrix-server/bootstrap-dehydrated.sh", + ] + } +} + +# Run cleanup after null_resource matrix-server-dehydrated is done +resource "null_resource" "matrix-server-cleanup" { + depends_on = ["null_resource.matrix-server-dehydrated", "null_resource.matrix-server"] + connection { + host = "${file(var.interface_ip)}" + user = "sysadmin" + type = "ssh" + private_key = "${file(var.pvt_key)}" + timeout = "2m" + } + # Get the password for sysadmin user + provisioner "local-exec" { + command = "scp -B -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} sysadmin@${file(var.interface_ip)}:/tmp/matrix-server/passwd-sysadmin .keys/passwd_sysadmin" + } + # Clean up + provisioner "remote-exec" { + inline = [ + "sudo /tmp/matrix-server/bootstrap-cleanup.sh", + ] + } + # Reboot + provisioner "local-exec" { + command = "ssh -o 'StrictHostKeyChecking no' -o UserKnownHostsFile=/dev/null -i ${var.pvt_key} sysadmin@${file(var.interface_ip)} '(sudo chage -d 0 sysadmin; sleep 2; sudo reboot)&'" + } +} + + +# Print summary +output "ssh_access" { + depends_on = ["null_resource.matrix-server-cleanup"] + value = [ + "matrix: ssh -i .keys/id_rsa sysadmin@${digitalocean_record.matrix.fqdn}", + "passwd: ${file(".keys/passwd_sysadmin")}", + ] +} diff --git a/matrix-synapse-riot/terraform/matrix-server/bootstrap-cleanup.sh b/matrix-synapse-riot/terraform/matrix-server/bootstrap-cleanup.sh index 4928747..e1f3f7e 100644 --- a/matrix-synapse-riot/terraform/matrix-server/bootstrap-cleanup.sh +++ b/matrix-synapse-riot/terraform/matrix-server/bootstrap-cleanup.sh @@ -3,7 +3,10 @@ set -e # Disable root login in sshd_config -sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config +sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config +echo "PermitRootLogin no" >> /etc/ssh/sshd_config +echo "PasswordAuthentication no" >> /etc/ssh/sshd_config # Clean up the tmp directory shred -u /tmp/matrix-server/* diff --git a/matrix-synapse-riot/terraform/matrix-server/bootstrap-post-dns.sh b/matrix-synapse-riot/terraform/matrix-server/bootstrap-post-dns.sh index 702e053..dcfe463 100644 --- a/matrix-synapse-riot/terraform/matrix-server/bootstrap-post-dns.sh +++ b/matrix-synapse-riot/terraform/matrix-server/bootstrap-post-dns.sh @@ -2,12 +2,12 @@ set -e -RIOT_VERSION=0.17.8 +RIOT_VERSION=1.5.11 DOMAIN_NAME=$1 DO_TOKEN=$2 -DEHYDRATED_VERSION=0.6.2 +DEHYDRATED_VERSION=0.6.5 ####################### # nginx + letsencrypt # @@ -39,7 +39,7 @@ chmod 700 /opt/dehydrated-$DEHYDRATED_VERSION cd /opt/dehydrated-$DEHYDRATED_VERSION cp /tmp/matrix-server/dehydrated-config /opt/dehydrated-$DEHYDRATED_VERSION/config cp /tmp/matrix-server/dehydrated-hooks /opt/dehydrated-$DEHYDRATED_VERSION/hooks.sh -echo -n "chat.$DOMAIN_NAME matrix.$DOMAIN_NAME" > /opt/dehydrated-$DEHYDRATED_VERSION/domains.txt +echo -n "chat.$DOMAIN_NAME matrix.$DOMAIN_NAME $DOMAIN_NAME" > /opt/dehydrated-$DEHYDRATED_VERSION/domains.txt chmod +x /tmp/matrix-server/dehydrated-hooks /opt/dehydrated-$DEHYDRATED_VERSION/hooks.sh ln -s /opt/dehydrated-$DEHYDRATED_VERSION /opt/dehydrated cd /opt/dehydrated @@ -64,19 +64,23 @@ iptables-restore /etc/iptables/rules.v4 ####################### # Make non-root users # ####################### -useradd -s /bin/bash -N -g users -G sudo -m sysadmin -useradd -s /bin/bash -N -g users -m synapse +set +e +sysadminuser=$(grep -c '^sysadmin:' /etc/passwd) +set -e +if [ $sysadminuser -eq 0 ] +then + useradd -s /bin/bash -N -g users -G sudo -m sysadmin + cp -r /root/.ssh /home/sysadmin/ + chown -R sysadmin:users /home/sysadmin/.ssh +fi passwd=$(dd if=/dev/urandom bs=1M count=500 | sha256sum | awk '{ print $1 }') -echo "sysadmin:$passwd" | chpasswd +echo "sysadmin:$passwd" | /usr/sbin/chpasswd echo -n $passwd > /tmp/matrix-server/passwd-sysadmin -mkdir -m 700 /home/sysadmin/.ssh/ -cp /root/.ssh/authorized_keys /home/sysadmin/.ssh/authorized_keys -chown -R sysadmin:users /home/sysadmin/.ssh/ -chage -d 0 sysadmin ######## # PSQL # ######## +cd / # Generate an password for synapse database DATAPASS=$(dd if=/dev/urandom bs=1M count=500 | sha256sum | awk '{ print $1 }') su -c "/tmp/matrix-server/psql-setup.sh $DATAPASS" postgres @@ -84,7 +88,54 @@ su -c "/tmp/matrix-server/psql-setup.sh $DATAPASS" postgres ########### # Synapse # ########### -su -c "/tmp/matrix-server/synapse-setup.sh $DOMAIN_NAME $DATAPASS" synapse +echo "deb https://matrix.org/packages/debian stretch main" > /etc/apt/sources.list.d/synapse.list +echo "deb-src https://matrix.org/packages/debian stretch main" >> /etc/apt/sources.list.d/synapse.list +wget -qO - https://matrix.org/packages/debian/repo-key.asc | sudo apt-key add - +apt-get update +DEBIAN_FRONTEND='noninteractive' apt-get install -y matrix-synapse-py3 +systemctl enable matrix-synapse +systemctl stop matrix-synapse +cd /etc/matrix-synapse/ + +# Generate config file +echo "server_name: $DOMAIN_NAME" > conf.d/server_name.yaml +sed -i -e "s/x_forwarded: false/x_forwarded: true/g" homeserver.yaml +echo " +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64'">> homeserver.yaml +sed -i '/## Database ##/,/^$/d' homeserver.yaml +sed -i '/database:/,/^$/d' homeserver.yaml +echo "enable_group_creation: true" >> conf.d/custom.yaml +echo "enable_registration: true" >> conf.d/custom.yaml +echo "allow_guest_access: true" >> conf.d/custom.yaml +echo "url_preview_enabled: true" >> conf.d/custom.yaml +echo "cleanup_extremities_with_dummy_events: true" >> conf.d/custom.yaml +echo " +# Database configuration +# Postgres database configuration +database: + name: psycopg2 + args: + user: synapse_user + password: $DATAPASS + database: synapse + host: localhost + cp_min: 5 + cp_max: 10 +" >> homeserver.yaml +echo "synctl_cache_factor: 0.02" >> homeserver.yaml +awk '1;/listeners:/{ print " - port: 8448\n type: http\n tls: true\n resources:\n - names: [client, federation]"}' homeserver.yaml > homeserver.yaml.new +mv homeserver.yaml.new homeserver.yaml + +echo "tls_certificate_path: \"/etc/matrix-synapse/homeserver.tls.crt\"" > conf.d/ssl.yaml +echo "tls_private_key_path: \"/etc/matrix-synapse/homeserver.tls.key\"" >> conf.d/ssl.yaml ######## # Riot # diff --git a/matrix-synapse-riot/terraform/matrix-server/bootstrap-yggdrasil.sh b/matrix-synapse-riot/terraform/matrix-server/bootstrap-yggdrasil.sh new file mode 100644 index 0000000..79ff248 --- /dev/null +++ b/matrix-synapse-riot/terraform/matrix-server/bootstrap-yggdrasil.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -e + +DOMAIN_NAME=$1 + +# Add Yggdrasil repo +wget -O - https://neilalexander.s3.eu-west-2.amazonaws.com/deb/key.txt | apt-key add - +echo 'deb http://neilalexander.s3.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list +apt-get update +DEBIAN_FRONTEND='noninteractive' apt-get install -y yggdrasil +systemctl enable yggdrasil +sed -i -e "s/NodeInfo: {}/NodeInfo: { \"name\": \"y.matrix.$DOMAIN\" }/g" /etc/yggdrasil.conf +sed -i -e "s/IfName: auto/IfName: ygg0/g" /etc/yggdrasil.conf +systemctl start yggdrasil + +# Get cjdns IPv6 +sleep 15 +yggdrasilctl getSelf | grep "IPv6 address" | awk -F " " '{ print $3 }'| tr -d '\n' > /tmp/matrix-server/ipv6-yggdrasil + +# Add h.matrix and h.chat to Dehydrated +CONTENT=$(cat /opt/dehydrated/domains.txt) + +echo -n "$CONTENT y.chat.$DOMAIN_NAME y.matrix.$DOMAIN_NAME" > /opt/dehydrated/domains.txt diff --git a/matrix-synapse-riot/terraform/matrix-server/bootstrap.sh b/matrix-synapse-riot/terraform/matrix-server/bootstrap.sh index c3f072c..fcfc20c 100644 --- a/matrix-synapse-riot/terraform/matrix-server/bootstrap.sh +++ b/matrix-synapse-riot/terraform/matrix-server/bootstrap.sh @@ -3,6 +3,7 @@ set -e DOMAIN=$1 +DNS=$2 # Wait for cloud-init to complete until [[ -f /var/lib/cloud/instance/boot-finished ]]; do @@ -13,6 +14,13 @@ done systemctl stop apt-daily.timer systemctl stop apt-daily.service +# Set DNS server +if [ $DNS ] +then + echo "nameserver $DNS" > /etc/resolv.conf + chattr +i /etc/resolv.conf +fi + # Make swap dd if=/dev/zero of=/swapfile bs=1M count=2048 chmod 600 /swapfile @@ -20,17 +28,10 @@ mkswap /swapfile swapon /swapfile echo '/swapfile none swap defaults 0 0' >> /etc/fstab -# Install Digital Ocean new metrics -curl -sSL https://agent.digitalocean.com/install.sh | sh +# Remove unscd as it causes issues with chpasswd +DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" remove -y unscd # Install programs apt-get update DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade -y -DEBIAN_FRONTEND='noninteractive' apt-get install -y \ - ntp nginx jq curl iptables-persistent build-essential python2.7-dev libffi-dev \ - python-pip python-setuptools sqlite3 libssl-dev python-virtualenv \ - libjpeg-dev libxslt1-dev postgresql postgresql-contrib git-core - -# Remove unscd as it causes issues with chpasswd -apt-get remove -y unscd - +DEBIAN_FRONTEND='noninteractive' apt-get install -y ntp nginx jq curl iptables-persistent build-essential libssl-dev libxslt1-dev postgresql postgresql-contrib git-core apt-transport-https diff --git a/matrix-synapse-riot/terraform/matrix-server/dehydrated-hooks b/matrix-synapse-riot/terraform/matrix-server/dehydrated-hooks index 9241cd0..f142cd5 100644 --- a/matrix-synapse-riot/terraform/matrix-server/dehydrated-hooks +++ b/matrix-synapse-riot/terraform/matrix-server/dehydrated-hooks @@ -77,13 +77,15 @@ deploy_cert() { if [ ! -d /etc/nginx/ssl/$DOMAIN/ ] then - mkdir -m 700 /etc/nginx/ssl/$DOMAIN/ + mkdir -m 700 /etc/nginx/ssl/$DOMAIN/ fi - cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/$DOMAIN/ - chown -R root:root /etc/nginx/ssl/$DOMAIN - - # Reload nginx + cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/$DOMAIN/ ; chown -R root:root /etc/nginx/ssl/ systemctl reload nginx + cp "${KEYFILE}" /etc/matrix-synapse/homeserver.tls.key + cp "${FULLCHAINFILE}" /etc/matrix-synapse/homeserver.tls.crt + chown matrix-synapse:nogroup /etc/matrix-synapse/homeserver.tls.crt /etc/matrix-synapse/homeserver.tls.key + chmod 600 /etc/matrix-synapse/homeserver.tls.crt /etc/matrix-synapse/homeserver.tls.key + systemctl reload matrix-synapse } deploy_ocsp() { diff --git a/matrix-synapse-riot/terraform/matrix-server/nginx-chat b/matrix-synapse-riot/terraform/matrix-server/nginx-chat index 58d4515..0f05b4c 100644 --- a/matrix-synapse-riot/terraform/matrix-server/nginx-chat +++ b/matrix-synapse-riot/terraform/matrix-server/nginx-chat @@ -1,14 +1,14 @@ server { listen 80; listen [::]:80; - server_name chat.__DOMAIN_NAME__ h.chat.__DOMAIN_NAME__; + server_name chat.__DOMAIN_NAME__ h.chat.__DOMAIN_NAME__ y.chat.__DOMAIN_NAME__; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; - server_name chat.__DOMAIN_NAME__ h.chat.__DOMAIN_NAME__; + server_name chat.__DOMAIN_NAME__ h.chat.__DOMAIN_NAME__ y.chat.__DOMAIN_NAME__; root /var/www/chat.__DOMAIN_NAME__/public; index index.html index.htm; diff --git a/matrix-synapse-riot/terraform/matrix-server/nginx-matrix b/matrix-synapse-riot/terraform/matrix-server/nginx-matrix index 5bb389f..7e16667 100644 --- a/matrix-synapse-riot/terraform/matrix-server/nginx-matrix +++ b/matrix-synapse-riot/terraform/matrix-server/nginx-matrix @@ -1,14 +1,14 @@ server { listen 80; listen [::]:80; - server_name matrix.__DOMAIN_NAME__ h.matrix.__DOMAIN_NAME__; + server_name matrix.__DOMAIN_NAME__ h.matrix.__DOMAIN_NAME__ y.matrix.__DOMAIN_NAME__; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; - server_name matrix.__DOMAIN_NAME__ h.matrix.__DOMAIN_NAME__; + server_name matrix.__DOMAIN_NAME__ h.matrix.__DOMAIN_NAME__ y.matrix.__DOMAIN_NAME__; ssl_certificate /etc/nginx/ssl/chat.__DOMAIN_NAME__/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/chat.__DOMAIN_NAME__/privkey.pem; diff --git a/matrix-synapse-riot/terraform/matrix-server/synapse-setup.sh b/matrix-synapse-riot/terraform/matrix-server/synapse-setup.sh deleted file mode 100644 index d7cab89..0000000 --- a/matrix-synapse-riot/terraform/matrix-server/synapse-setup.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -e - -SYNAPSE_VERSION=0.34.1.1 -SERVER_NAME=$1 -DATAPASS=$2 - -# Go home -cd $HOME - -# Installation -virtualenv -p python2.7 ~/.synapse -source ~/.synapse/bin/activate -pip install --upgrade setuptools -pip install https://github.com/matrix-org/synapse/tarball/v$SYNAPSE_VERSION -cd ~/.synapse/ - -# Generate homeserver.yaml -python -B -m synapse.app.homeserver -c homeserver.yaml --generate-config --report-stats=no --server-name=$SERVER_NAME -sed -i -e "s/x_forwarded: false/x_forwarded: true/g" homeserver.yaml -sed -i -e "s/url_preview_enabled: False/url_preview_enabled: True/g" homeserver.yaml -sed -i -e "s/enable_group_creation: false/enable_group_creation: true/g" homeserver.yaml -sed -i -e "s/enable_registration: False/enable_registration: True/g" homeserver.yaml -sed -i -e "s/allow_guest_access: False/allow_guest_access: True/g" homeserver.yaml -echo " -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64'">> homeserver.yaml -sed -i '/# Database configuration/,/^$/d' homeserver.yaml -echo " -# Database configuration -# Postgres database configuration -database: - name: psycopg2 - args: - user: synapse_user - password: $DATAPASS - database: synapse - host: localhost - cp_min: 5 - cp_max: 10 -" >> homeserver.yaml -echo "synctl_cache_factor: 0.02" >> homeserver.yaml - -# Install lxml -pip install lxml - -# Create a startup script -mkdir ~/bin/ -cp /tmp/matrix-server/synapse-startup.sh ~/bin/synapse-startup.sh -sh -c '(crontab -l 2>/dev/null; echo "@reboot /home/synapse/bin/synapse-startup.sh") | crontab -' diff --git a/matrix-synapse-riot/terraform/matrix-server/synapse-startup.sh b/matrix-synapse-riot/terraform/matrix-server/synapse-startup.sh deleted file mode 100644 index 0693a7b..0000000 --- a/matrix-synapse-riot/terraform/matrix-server/synapse-startup.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -e -sleep 10 -source /home/synapse/.synapse/bin/activate -cd /home/synapse/.synapse/ -/home/synapse/.synapse/bin/synctl start diff --git a/matrix-synapse-riot/terraform/providers.tf b/matrix-synapse-riot/terraform/providers.tf index 71bc96b..c9eb692 100644 --- a/matrix-synapse-riot/terraform/providers.tf +++ b/matrix-synapse-riot/terraform/providers.tf @@ -1,3 +1,6 @@ provider "digitalocean" { token = "${file(var.do_token)}" -} \ No newline at end of file +} +provider "proxmox" { + pm_tls_insecure = true +} diff --git a/matrix-synapse-riot/terraform/variables.tf b/matrix-synapse-riot/terraform/variables.tf index f6e4c01..bc529fd 100644 --- a/matrix-synapse-riot/terraform/variables.tf +++ b/matrix-synapse-riot/terraform/variables.tf @@ -13,7 +13,32 @@ variable "pvt_key" { variable "ssh_fingerprint" { default = ".keys/ssh_fingerprint" } +variable "nameserver" { + default = ".keys/nameserver" +} +variable "interface_gw" { + default = ".keys/interface_gw" +} +variable "interface_ip" { + default = ".keys/interface_ip" +} +variable "interface_ip_netmask" { + default = ".keys/interface_ip_netmask" +} +variable "interface_gw6" { + default = ".keys/interface_gw6" +} +variable "interface_ip6" { + default = ".keys/interface_ip6" +} +variable "interface_ip6_netmask" { + default = ".keys/interface_ip6_netmask" +} variable "cjdns" { description = "Set up Matrix and Riot on cjdns" default = true } +variable "yggdrasil" { + description = "Set up Matrix and Riot on Yggdrasil" + default = true +}