set up tuwunel matrix server

plays/emma.yml

@@ -253,3 +253,18 @@
             name: 'jef'
           - path: '/mnt/data1/photos/lambroek'
             name: 'lambroek'
+
+- name: Set up Tuwunel
+  hosts: emma
+  tags: tuwunel
+  become: true
+  roles:
+    - role: any.common.btrfs-subvolumes
+      vars:
+        subvolumes:
+          - filesystem_uuid: "{{ btrfs_nvme.uuid }}"
+            filesystem_path: "{{ btrfs_nvme.path }}"
+            name: "/@rootfs/data/matrix-tuwunel/data"
+    - role: any.software.tuwunel
+      vars:
+        tuwunel_data_dir: '/data/matrix-tuwunel/data'

roles/any.software.site-podman/files/site.Caddyfile

@@ -1,3 +1,5 @@
 rustybever.be www.rustybever.be {
-    reverse_proxy 127.0.0.1:8021
+    reverse_proxy 127.0.0.1:8021 {
+        header_down Access-Control-Allow-Origin *
+    }
 }

roles/any.software.tuwunel/files/tuwunel.Caddyfile

@@ -0,0 +1,3 @@
+matrix.rustybever.be, matrix.rustybever.be:8448 {
+    reverse_proxy localhost:8025
+}

roles/any.software.tuwunel/files/tuwunel.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/otter/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.tuwunel/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: 'restart tuwunel'
+  ansible.builtin.service:
+    name: 'tuwunel'
+    state: 'restarted'
+    daemon_reload: true

roles/any.software.tuwunel/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: any.tools.caddy

roles/any.software.tuwunel/tasks/main.yml

@@ -0,0 +1,75 @@
+---
+- name: Ensure tuwunel is installed
+  ansible.builtin.apt:
+    deb: 'https://github.com/matrix-construct/tuwunel/releases/download/v1.5.0/v1.5.0-release-all-x86_64-v3-linux-gnu-tuwunel.deb'
+
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'tuwunel'
+    gid: 205
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'tuwunel'
+    group: 'tuwunel'
+    uid: 205
+    system: true
+    create_home: false
+
+- name: Ensure permissions are correct
+  ansible.builtin.file:
+    path: "{{ tuwunel_data_dir }}"
+    state: directory
+    mode: '0755'
+    owner: '205'
+    group: '205'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/tuwunel'
+    state: directory
+    mode: '0755'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'tuwunel.toml.j2'
+    dest: '/etc/tuwunel/tuwunel.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart tuwunel'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'tuwunel.Caddyfile'
+    dest: '/etc/caddy/tuwunel.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload caddy
+
+# - name: Ensure backup scripts are present
+#   ansible.builtin.copy:
+#     src: "tuwunel.{{ item }}.backup.sh"
+#     dest: "/etc/backups/tuwunel.{{ item }}.backup.sh"
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   loop:
+#     - 'data'
+
+- name: Ensure service file is present
+  ansible.builtin.template:
+    src: 'tuwunel.service.j2'
+    dest: '/lib/systemd/system/tuwunel.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: 'restart tuwunel'
+
+- name: Ensure tuwunel service is enabled
+  ansible.builtin.service:
+    name: 'tuwunel'
+    enabled: true

roles/any.software.tuwunel/templates/tuwunel.service.j2

@@ -0,0 +1,68 @@
+# https://matrix-construct.github.io/tuwunel/configuration/examples.html#debian-systemd-unit-file
+[Unit]
+Description=Tuwunel Matrix homeserver
+Wants=network-online.target
+After=network-online.target
+Documentation=https://tuwunel.chat/
+
+[Service]
+User=tuwunel
+Group=tuwunel
+Type=notify
+
+Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"
+
+ExecStart=/usr/sbin/tuwunel
+
+ReadWritePaths={{ tuwunel_data_dir }} /etc/tuwunel
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+ManagedOOMPreference=avoid
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+#ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @resources
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
+SystemCallErrorNumber=EPERM
+#StateDirectory=tuwunel
+
+RuntimeDirectory=tuwunel
+RuntimeDirectoryMode=0750
+
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target
+Alias=matrix-tuwunel.service