From bb10c3a4b983d33b8fc29d90019442484c6f08f6 Mon Sep 17 00:00:00 2001
From: PC-Admin <perthchat@protonmail.com>
Date: Wed, 9 Aug 2023 02:27:20 +0800
Subject: [PATCH] initial version, gets a Synapse server setup with an Element
 web-client

---
 README.md                                     |  15 +++
 .../host_vars/matrix.penholder.xyz/vars.yml   |   5 +
 .../host_vars/matrix.snowsupport.top/vars.yml |   5 +
 inventory/hosts                               |   4 +
 pubkey/element-release-key.gpg                | Bin 0 -> 2824 bytes
 roles/setup-synapse/handlers/main.yml         |  11 ++
 roles/setup-synapse/tasks/certbot_setup.yml   |  34 ++++++
 roles/setup-synapse/tasks/config_nginx.yml    |  18 +++
 roles/setup-synapse/tasks/config_synapse.yml  |  37 ++++++
 roles/setup-synapse/tasks/element_setup.yml   | 112 ++++++++++++++++++
 .../tasks/install_postgresql.yml              |  39 ++++++
 roles/setup-synapse/tasks/install_synapse.yml |  83 +++++++++++++
 roles/setup-synapse/tasks/main.yml            |  19 +++
 roles/setup-synapse/templates/element.json.j2 |  48 ++++++++
 .../templates/homeserver.yaml.j2              |  31 +++++
 .../templates/nginx-element.conf.j2           |  31 +++++
 roles/setup-synapse/templates/nginx.conf.j2   |  46 +++++++
 setup.yml                                     |   7 ++
 18 files changed, 545 insertions(+)
 create mode 100644 inventory/host_vars/matrix.penholder.xyz/vars.yml
 create mode 100644 inventory/host_vars/matrix.snowsupport.top/vars.yml
 create mode 100644 inventory/hosts
 create mode 100644 pubkey/element-release-key.gpg
 create mode 100644 roles/setup-synapse/handlers/main.yml
 create mode 100644 roles/setup-synapse/tasks/certbot_setup.yml
 create mode 100644 roles/setup-synapse/tasks/config_nginx.yml
 create mode 100644 roles/setup-synapse/tasks/config_synapse.yml
 create mode 100644 roles/setup-synapse/tasks/element_setup.yml
 create mode 100644 roles/setup-synapse/tasks/install_postgresql.yml
 create mode 100644 roles/setup-synapse/tasks/install_synapse.yml
 create mode 100644 roles/setup-synapse/tasks/main.yml
 create mode 100644 roles/setup-synapse/templates/element.json.j2
 create mode 100644 roles/setup-synapse/templates/homeserver.yaml.j2
 create mode 100644 roles/setup-synapse/templates/nginx-element.conf.j2
 create mode 100644 roles/setup-synapse/templates/nginx.conf.j2
 create mode 100644 setup.yml

diff --git a/README.md b/README.md
index 1e5ff59..33c797f 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,17 @@
 # ansible-synapse
+
 A ansible playbook to deploy a simple Synapse server. (For testing purposes only!)
+
+
+## Install Prerequisites
+
+`$ pip install psycopg2`
+
+
+## Setup Server
+
+1) Configure the [inventory/](inventory/) files for all the desired hosts appropriately.
+
+2) Run the setup.yml playbook:
+
+`ansible-synapse$ ansible-playbook -v -i inventory/hosts setup.yml`
diff --git a/inventory/host_vars/matrix.penholder.xyz/vars.yml b/inventory/host_vars/matrix.penholder.xyz/vars.yml
new file mode 100644
index 0000000..80d1e46
--- /dev/null
+++ b/inventory/host_vars/matrix.penholder.xyz/vars.yml
@@ -0,0 +1,5 @@
+
+server_name: "penholder.xyz"
+postgresql_password: "strong-redacted-password"
+matrix_admin_email: "perthchat@protonmail.com"
+registration_shared_secret: "strong-redacted-password"
diff --git a/inventory/host_vars/matrix.snowsupport.top/vars.yml b/inventory/host_vars/matrix.snowsupport.top/vars.yml
new file mode 100644
index 0000000..8ce588a
--- /dev/null
+++ b/inventory/host_vars/matrix.snowsupport.top/vars.yml
@@ -0,0 +1,5 @@
+
+server_name: "snowsupport.top"
+postgresql_password: "strong-redacted-password"
+matrix_admin_email: "perthchat@protonmail.com"
+registration_shared_secret: "strong-redacted-password"
diff --git a/inventory/hosts b/inventory/hosts
new file mode 100644
index 0000000..8cd8322
--- /dev/null
+++ b/inventory/hosts
@@ -0,0 +1,4 @@
+
+[matrix_servers]
+matrix.penholder.xyz ansible_host=matrix.penholder.xyz ansible_ssh_user=root
+#matrix.snowsupport.top ansible_host=matrix.snowsupport.top ansible_ssh_user=root
\ No newline at end of file
diff --git a/pubkey/element-release-key.gpg b/pubkey/element-release-key.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..b0f55464efa3a939b4381ce1a6d8464f2e9671ec
GIT binary patch
literal 2824
zcmaLYc{~#g0|)SJ=Dy|@Eh9%_Xed37<j$nbu|keVBj(JNEB8HeWttQrNA7#(h+L7|
zlwz(eR|rW)ywCG~-skiD_x|_${64?GzrSZ7POw7+yaNaUkZg8!lP9=V#d5+j$<<O*
z!KWUV7CKjI<o2y<^>XZc=nBB81zTrgc*8(yWx`iR-NN7L(y*&rxg43_cqhLiKTA&A
z-|lMq?zL&hd_jiw$m9L}t-^NeMicEW@yC4t?LXmXPnZ1lTGjwe=FDc0WyMmBAeb<e
z!TxNo??#fzskT_PVZ@q<1-{kly=VhUtL~aAXgGwi<gO)g038kQT1EOk)Gx9!iE2It
z-%}g2ATG14tJ&qB#~+pp*NgViFq10@hB4OAKf5)st83uy4|*ec$biV=B$fdObv5nA
zL&-MxYXIosdmv#y_LIncI_^qou5uQeGIbtwcP06epHL38Xu)B`%eYqosfmCGg%pn+
zYYZi2$}LR~I!w5j9}f3KIyKkMQVgc;-PG^MNfK($hXph9XBOV*d)xHF^!2cnxa(KJ
z?Sp)_M_XDfc^61lB$ne`iSHLQ%w39+(O1>T2OBh5aTN4H6A}6}!DP=VGq22GjnM0z
zb3w0;dc<EDUbYwdf%w)qvKtnZ!tJyr_7b1<{E85<asA7|o+v5{wU%A&^9Cb)X-b?&
z+)DQM@9TclMFXYY^K8#mo6D!S=09@W;XbkKPoMaC^Ci#Ruz_Di(TG)NX-}y!yjap*
z5BH?rZVuwx*mCn4KFYy((M}PPz_oxYjug9C2;cz%fDPyM-7y{*Pd^w6<BoCk#rVQB
z9{w+BKXmo-Q*iarN(7mK`G70{b&x0nBReY#Gl)rmjg^HR1QrA_072(~AfX6Baj=iv
z(N@N65eoH1=wp8ee!C#37QhH{h%lW7odE*aSRwzE24)aIJhrZ)$(|I;CS{u$_bUm;
z?f`u9I}N)ruqh1D_T5uplyEUGD|QW+dmT2I0714Kl4cW*cifn{-x}UuPYc89MBz*j
z0(NDP=fg(K+EmG^V8PAqQfXo7Co67=X~d#=XkbKSzpeEz%*~Y$rjeZU$KrLA?C2ru
zyCW#HV4qGcV?bWjod5Y6_Bs0r+QRi-UCJ80qr`|Y-pMpe!<&KpN%Df5)n&(Fl_r8?
zz!0awehY_w!zlCu_Xjl3d!=2h!WqGHN4OqnB!cnQA8zJ6PT3zlBpgG3^N$UKi!|s`
zlaF%a!`Xv42faGxZw;9SRF53}iXvKuGHy=A9^!|Za-fxOi*j_)Yn?7>JH}c_&&c-S
z+L{bKMsR9S47#o&31$J?_|EW14e)w?ZoIriQ`^;mJI+SL``(kz;IV`}(GerY;PH^f
zI~POaG=qnTE$P&z0=E{qcnRHTdC9P+Yz)+&49&k@<~DRV3wIwgA@Z&C+zdYH;QF8a
zu8nloB5-<i=(Rx9NgT31yhRb6QxRIhFT9e~nwcBm@l4?z^@9v4tRu?`6!t*%Dr{oZ
zDl*1Imc;d{<Pe4^1<!COID-*9b=;4n<Z0HaqcO>MY++n3lg5FT%YC4chVAdijZD%@
z9IqYoGY?B3SXpzYE=PY}$;R>M-hNUszYy_Xh#Elhd#FYiGKITrrAC(ax@VTbI1lkK
zLx|yz#LOOMWw`IVOS$#eFy46sGj<&KTLr%ExXQYI(c3?W2fMfjA$AoW2Z{bNJI>4W
z2xA5Bnm*7=<xCByeF%IDvl0gXLpjRBQ*4Ufbnbn7K_ipY9K~W_BWf5LNSL0kXzm4#
zSFMq7Rx+z|E%6R$0k2zRzudm?WXjUxXG-5@k@f3kh{*`2d#ZB!w0$#4VG?X&r&@s6
z)Yq#Pxwl=IZ-AWO52Gna`Mb1|>D+|FvHn(F?`?|FV7vj7Q$XZR)bnDc0M~imHfqg0
zOb5-(UlS&<LLM&*NAL$lqcXaP#F&yd-bX(S-uV;H%1{grs#AUJ0ypet#$-d-ZL1WN
zmd25~){j`@2JC+72b=;~y#hw_N3+=nfuR1HQ6E9Rxlt*|_^j|Pk*ic`Nh1Q}L?O`i
z6%U*lv;A$mtL2!2=VA|U&<_<)wjRh%S@zOf@{wpXCoz__=i~bPRfZni?*=Y|rGD5N
zCPD|8de9>hEy0t5#kWmKqnypUVh<*aG`&Q-BUu=GfDd{1b<sKc&eVhYG2+h4bxyOg
zaLqi1F~8LA>)b9CPJeR1@ohnOg46bFUnQ&S4gtAVv*WJVbJX@4ShPV6otD<h)Jugz
zcfvZUR4sG3tRhXbQ;*LB{$Gd^!R}z;zl?!_L_z<@5{pBSc9$OveCDqy^sn8TO~A8N
z_6KF_GX(^>^4wTddz#_j=2(3G8=QX{wIm22tK2SPFD2HpFi<7R!P4dP{yysBT9)Wk
zI`+DJ2H#Nm+Wn<-bt}ZU0l{~L<XKrC1cSH_?5xzPCc@Zouf99>hMP$p99I~wt!h!u
ztj)FgrSkE#p$fK$*E$C@Z3d^z{-D0yES49;GEtyy7jv1V=p5Z*cdMjBlhLt8enGSZ
zKGm)459M;kagW>0TiyJrvE{@ax^!GI@vgfjWHal!=#rvv3wYr}VqTEgy1A1!PN3<@
z#A1qs(<`AHmdhED2|Qy7N0q9C@Zvht$kG>lA6bm#`7$X-p)OlK%B`WhTWBqrkWb7#
zGf3l86-X2YNlAXAxJz@@DW(qhEBHqDg;eD1B`;#b0D@%MEy<rqCIQYt!<X0mYtYtL
ztp#-69U!hwKM4J{(N1-vh1aa=nheE%@s|~iLn4f)M{eKXWIYg7%iF+S9^H7YGCntH
zelP895u4V%u4Ju~IY)XqYybCK>4svHu4gwss+iN-21bI;SegUy^|XL-{+idvMYg+U
z6@_tGdFepBH55+ACF1X(Nb1<QzFZv2<n-f4mW|yZ!YYJ7>i`dziDVj86nvX%96yIw
znzfi#Y@=Y=4MsLzSp?QOR;CB@=xjMTk+YjSRKIQ>&h6qLYzS&0mMcvL_QOR1iRzdt
z_spO(0b+wqx%T89QClO@|Ggh0Z|+mQnl67daOLsj3|!8yaTb3z)X>`}4NB&6Y@?^H
z*pZi7FWFRjYSt+-@Emxn@T7|iPblA}e9ex6?s#fQ(a{WhHpVi548}F!@9*3T;;c_e
zC0WIMk%gd-<TDn!B0H<%N<Xpa-9@ItFr)94cRkr{u({_Gwxw4HcP~ymk3Th3D!*)S
za#E#`__Tv;(+%;G&UrBnU9USei`-P&D*s|m@GYn!RAOTLt>ddZmrqM#ZnT$hHPYOT
zy)T6e@hY(8qyZdOrJf3!?RsafQIcBMclRn2u&E_&1zKzwza-_zDhTPq4=MN{h$6|i
ziSy#{5GL^S=4B1*x!RQ=)fP(8ExFayqk;W!38BXaRj3QWt^E|ma+6o~MLQ|BuXs7~
zPBQ7DvNSG{tRtOOJ$nbgc@Dm8kOoNRlk#&`PIY_Y5ytw#PVJ03r9Gmubn2lj_-vzB
zpU+ZKN1DHUVAeZa{$NVO$ekwX!sL@H8fDKtvC-$GS+zdTD0-QQ%062dJAUrG7{|GB
zKP=v^*uPzH#pQssC_US7FZ@vQQxrVH8l85nP&kV){0<k7k*KR7KhAC99oElhJCRR8
z*O})7TYl~y28j7<T)bpJI1>dc5sA@Uj7#`nYUFG&WPN{~VL0e=3_+EN$v(R}`8M9T
U|JQ!syb2wVC-Ek6{&Mbr0I+vd6aWAK

literal 0
HcmV?d00001

diff --git a/roles/setup-synapse/handlers/main.yml b/roles/setup-synapse/handlers/main.yml
new file mode 100644
index 0000000..29756b8
--- /dev/null
+++ b/roles/setup-synapse/handlers/main.yml
@@ -0,0 +1,11 @@
+
+---
+- name: Restart Synapse
+  service:
+    name: matrix-synapse
+    state: restarted
+
+- name: Restart Nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/roles/setup-synapse/tasks/certbot_setup.yml b/roles/setup-synapse/tasks/certbot_setup.yml
new file mode 100644
index 0000000..88eaa87
--- /dev/null
+++ b/roles/setup-synapse/tasks/certbot_setup.yml
@@ -0,0 +1,34 @@
+
+- name: Install Certbot
+  apt:
+    name: certbot
+    state: present
+
+- name: Install Certbot Nginx Plugin
+  apt:
+    name: python3-certbot-nginx
+    state: present
+
+- name: Create TLS certificate
+  become: yes
+  become_user: root
+  command: certbot certonly --rsa-key-size 2048 -d {{ server_name }} -d element.{{ server_name }} -d turn.{{ server_name }} --agree-tos --non-interactive --email {{ matrix_admin_email }} --nginx
+
+- name: Setup SSL Auto-renewal
+  become: yes
+  become_user: root
+  cron:
+    name: certbot renew
+    minute: 0
+    hour: 0
+    day: 1
+    month: '*'
+    weekday: '*'
+    job: certbot renew --rsa-key-size 2048 --quiet --post-hook "systemctl reload nginx"
+
+- name: Create Diffie-Hellman key
+  become: yes
+  become_user: root
+  command:
+    cmd: openssl dhparam -out /etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem 2048
+    creates: /etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem
diff --git a/roles/setup-synapse/tasks/config_nginx.yml b/roles/setup-synapse/tasks/config_nginx.yml
new file mode 100644
index 0000000..9529650
--- /dev/null
+++ b/roles/setup-synapse/tasks/config_nginx.yml
@@ -0,0 +1,18 @@
+
+- name: Install NGINX
+  apt:
+    name: nginx
+    state: present
+
+- name: Configure Nginx Config for Matrix Synapse
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/sites-available/{{ server_name }}"
+    mode: '0644'
+  notify: Restart Nginx
+
+- name: Create a Symbolic Link for Nginx Config
+  file:
+    src: "/etc/nginx/sites-available/{{ server_name }}"
+    dest: "/etc/nginx/sites-enabled/{{ server_name }}"
+    state: link
diff --git a/roles/setup-synapse/tasks/config_synapse.yml b/roles/setup-synapse/tasks/config_synapse.yml
new file mode 100644
index 0000000..130c0f8
--- /dev/null
+++ b/roles/setup-synapse/tasks/config_synapse.yml
@@ -0,0 +1,37 @@
+---
+- name: Apply the homeserver.yaml template
+  template:
+    src: templates/homeserver.yaml.j2
+    dest: /etc/matrix-synapse/homeserver.yaml
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Apply the nginx.conf template
+  template:
+    src: templates/nginx.conf.j2
+    dest: /etc/nginx/sites-available/matrix
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable the nginx site
+  file:
+    src: /etc/nginx/sites-available/matrix
+    dest: /etc/nginx/sites-enabled/matrix
+    state: link
+
+- name: Remove the default nginx site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: Restart Nginx
+
+- name: Set Synapse Cache Factor
+  lineinfile:
+    path: /etc/default/matrix-synapse
+    regexp: '^SYNAPSE_CACHE_FACTOR='
+    line: 'SYNAPSE_CACHE_FACTOR=2.0'
+    state: present
+    create: yes
+  notify: Restart Synapse
diff --git a/roles/setup-synapse/tasks/element_setup.yml b/roles/setup-synapse/tasks/element_setup.yml
new file mode 100644
index 0000000..573915a
--- /dev/null
+++ b/roles/setup-synapse/tasks/element_setup.yml
@@ -0,0 +1,112 @@
+---
+- name: Template NGINX config for Element
+  become: yes
+  template:
+    src: "{{ role_path }}/templates/nginx-element.conf.j2"
+    dest: "/etc/nginx/sites-available/element.{{ server_name}}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Nginx
+
+- name: Create symbolic link for NGINX config
+  become: yes
+  file:
+    src: /etc/nginx/sites-available/element.{{ server_name}}.conf
+    dest: /etc/nginx/sites-enabled/element.{{ server_name}}.conf
+    state: link
+    force: yes
+
+- name: Create the /var/www/element.penholder.xyz/ directory
+  become: yes
+  file:
+    path: "/var/www/element.{{ server_name}}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Download and install latest Element
+  become: yes
+  block:
+
+    - name: Install GPG
+      apt:
+        name: gnupg
+        state: present
+
+    - name: Copy Element release key to /tmp
+      copy:
+        src: "{{ playbook_dir }}/pubkey/element-release-key.gpg"
+        dest: /tmp/element-release-key.gpg
+        mode: '0644'
+
+    # need to install GPG key from https://packages.element.io/element-release-key.gpg
+
+    - name: Import Element release key
+      shell: gpg --import /tmp/element-release-key.gpg
+    
+    - name: Download Element archive
+      get_url:
+        url: "https://github.com/vector-im/element-web/releases/download/v1.11.38/element-v1.11.38.tar.gz"
+        dest: "/tmp/element-v1.11.38.tar.gz"
+
+    - name: Download Element archive signature
+      get_url:
+        url: "https://github.com/vector-im/element-web/releases/download/v1.11.38/element-v1.11.38.tar.gz.asc"
+        dest: "/tmp/element-v1.11.38.tar.gz.asc"
+
+    - name: Verify Element archive signature
+      shell: gpg --verify /tmp/element-v1.11.38.tar.gz.asc /tmp/element-v1.11.38.tar.gz
+      args:
+        chdir: "/tmp"
+    
+    - name: Extract Element archive
+      unarchive:
+        src: "/tmp/element-v1.11.38.tar.gz"
+        dest: "/tmp/"
+        remote_src: yes
+      args:
+        creates: "/var/www/element.{{ server_name}}/element-v1.11.38"
+
+# Copy
+# /tmp/element-v1.11.38/*
+# /var/www/element.penholder.xyz/
+
+    - name: Copy Element files to web directory
+      shell: cp -r /tmp/element-v1.11.38/* /var/www/element.{{ server_name}}
+      args:
+        creates: "/var/www/element.{{ server_name}}/welcome.html"
+
+    - name: Clean up downloaded files
+      file:
+        path: "/tmp/element-v*"
+        state: absent
+
+    - name: Template the Element Config file
+      template:
+        src: "{{ role_path }}/templates/element.json.j2"
+        dest: "/var/www/element.{{ server_name}}/config.json"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart Nginx
+
+# - name: Create and edit config.json for Element
+#   become: yes
+#   blockinfile:
+#     path: "/var/www/element.{{ server_name}}/config.json"
+#     create: yes
+#     content: |
+#       {
+#           "default_server_config": {
+#               "m.homeserver": {
+#                   "base_url": "https://{{ server_name}}",
+#                   "server_name": "{{ server_name}}"
+#               },
+#               "m.identity_server": {
+#                   "base_url": "https://vector.im"
+#               }
+#           },
+#           # ... (other config options)
+#       }
diff --git a/roles/setup-synapse/tasks/install_postgresql.yml b/roles/setup-synapse/tasks/install_postgresql.yml
new file mode 100644
index 0000000..a889df8
--- /dev/null
+++ b/roles/setup-synapse/tasks/install_postgresql.yml
@@ -0,0 +1,39 @@
+---
+- name: Install Postgresql
+  apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - postgresql
+    - postgresql-client
+
+- name: Ensure pip is installed
+  apt:
+    name: python3-pip
+    state: present
+
+- name: Install psycopg2 with pip
+  pip:
+    name: psycopg2-binary
+    state: present
+    extra_args: "{{ (ansible_distribution == 'Debian' and ansible_distribution_version is version('12', '>=')) | ternary('--break-system-packages', '') }}"
+
+- name: Create Synapse role in PostgreSQL
+  become: yes
+  become_user: postgres
+  postgresql_user:
+    name: synapse
+    password: "{{ postgresql_password }}"
+    role_attr_flags: NOSUPERUSER,NOCREATEDB,NOCREATEROLE
+    encrypted: yes
+
+- name: Create Database for Synapse
+  become: yes
+  become_user: postgres
+  postgresql_db:
+    name: synapse
+    encoding: UTF8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: synapse
diff --git a/roles/setup-synapse/tasks/install_synapse.yml b/roles/setup-synapse/tasks/install_synapse.yml
new file mode 100644
index 0000000..5bb4438
--- /dev/null
+++ b/roles/setup-synapse/tasks/install_synapse.yml
@@ -0,0 +1,83 @@
+---
+# sudo apt update
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+#sudo apt install -y lsb-release wget apt-transport-https
+
+- name: Install Prerequisite Packages 
+  apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - lsb-release
+    - wget
+    - apt-transport-https
+
+#sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+
+#echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
+#    sudo tee /etc/apt/sources.list.d/matrix-org.list
+
+- name: Download Matrix.org GPG keyring
+  get_url:
+    url: https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+    dest: /usr/share/keyrings/matrix-org-archive-keyring.gpg
+    mode: '0644'
+
+- name: Add Matrix.org repository
+  apt_repository:
+    repo: deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main
+    state: present
+
+#sudo apt update
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+#sudo apt install matrix-synapse-py3
+
+- name: Install Synapse
+  apt:
+    name: matrix-synapse-py3
+    state: present
+
+# sudo systemctl stop matrix-synapse
+
+- name: Stop Synapse
+  service:
+    name: matrix-synapse
+    state: stopped
+
+- name: Ensure /var/lib/matrix-synapse/media directory exists
+  file:
+    path: /var/lib/matrix-synapse/media
+    state: directory
+    owner: matrix-synapse
+    group: matrix-synapse
+    mode: '0755'
+
+- name: Add server_name to /etc/matrix-synapse/conf.d/server_name.yaml file
+  lineinfile:
+    path: /etc/matrix-synapse/conf.d/server_name.yaml
+    regexp: '^server_name:.*'
+    line: "server_name: {{ server_name }}"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+# Write "{{ registration_shared_secret }}" to /etc/matrix-synapse/conf.d/registration_shared_secret.yaml
+
+- name: Write registration_shared_secret to /etc/matrix-synapse/conf.d/registration_shared_secret.yaml
+  lineinfile:
+    path: /etc/matrix-synapse/conf.d/registration_shared_secret.yaml
+    regexp: '^registration_shared_secret:.*'
+    line: "registration_shared_secret: {{ registration_shared_secret }}"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/roles/setup-synapse/tasks/main.yml b/roles/setup-synapse/tasks/main.yml
new file mode 100644
index 0000000..881d981
--- /dev/null
+++ b/roles/setup-synapse/tasks/main.yml
@@ -0,0 +1,19 @@
+
+# Install Synapse
+- import_tasks: "{{ role_path }}/tasks/install_synapse.yml"
+
+# Install Postgresql
+- import_tasks: "{{ role_path }}/tasks/install_postgresql.yml"
+
+# Certbot Setup
+- import_tasks: "{{ role_path }}/tasks/certbot_setup.yml"
+
+# Configure Nginx
+- import_tasks: "{{ role_path }}/tasks/config_nginx.yml"
+
+# Configure Synapse
+- import_tasks: "{{ role_path }}/tasks/config_synapse.yml"
+
+# Install Element Web
+- import_tasks: "{{ role_path }}/tasks/element_setup.yml"
+  tags: install-element
\ No newline at end of file
diff --git a/roles/setup-synapse/templates/element.json.j2 b/roles/setup-synapse/templates/element.json.j2
new file mode 100644
index 0000000..0aba467
--- /dev/null
+++ b/roles/setup-synapse/templates/element.json.j2
@@ -0,0 +1,48 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://{{ server_name }}",
+            "server_name": "{{ server_name }}"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "default_country_code": "GB",
+    "show_labs_settings": false,
+    "features": {},
+    "default_federate": true,
+    "default_theme": "light",
+    "room_directory": {
+        "servers": ["{{ server_name }}"]
+    },
+    "enable_presence_by_hs_url": {
+        "https://{{ server_name }}": false
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferred_domain": "meet.element.io"
+    },
+    "element_call": {
+        "url": "https://call.element.io",
+        "participant_limit": 8,
+        "brand": "Element Call"
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}
diff --git a/roles/setup-synapse/templates/homeserver.yaml.j2 b/roles/setup-synapse/templates/homeserver.yaml.j2
new file mode 100644
index 0000000..b6c4f1e
--- /dev/null
+++ b/roles/setup-synapse/templates/homeserver.yaml.j2
@@ -0,0 +1,31 @@
+server_name: "{{ server_name }}"
+pid_file: "/var/run/matrix-synapse.pid"
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client, federation]
+        compress: false
+database:
+  name: psycopg2
+  args:
+    user: synapse
+    password: "{{ postgresql_password }}"
+    database: synapse
+    host: localhost
+    cp_min: 5
+    cp_max: 10
+log_config: "/etc/matrix-synapse/log.yaml"
+media_store_path: "/var/lib/matrix-synapse/media"
+signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+web_client_location: "https://element.{{ server_name }}/"
+federation_client_minimum_tls_version: 1.2
+allow_public_rooms_over_federation: true
+enable_registration: false
+admin_contact: "mailto:{{ matrix_admin_email }}"
+registration_shared_secret: "{{ registration_shared_secret }}"
\ No newline at end of file
diff --git a/roles/setup-synapse/templates/nginx-element.conf.j2 b/roles/setup-synapse/templates/nginx-element.conf.j2
new file mode 100644
index 0000000..838fd9c
--- /dev/null
+++ b/roles/setup-synapse/templates/nginx-element.conf.j2
@@ -0,0 +1,31 @@
+server {
+    listen         80;
+    server_name    element.{{ server_name }};
+    return         301 https://element.{{ server_name }}$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    gzip off;
+    server_name element.{{ server_name }};
+
+    ssl_certificate     /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
+    ssl_session_cache   shared:NGX_SSL_CACHE:10m;
+    ssl_session_timeout 12h;
+    ssl_protocols       TLSv1.3 TLSv1.2;
+    ssl_ciphers		"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
+    ssl_dhparam         /etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem;
+    ssl_ecdh_curve      X25519:secp521r1:secp384r1:prime256v1;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+
+    root /var/www/element.{{ server_name }};
+    index index.html; 
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+}
\ No newline at end of file
diff --git a/roles/setup-synapse/templates/nginx.conf.j2 b/roles/setup-synapse/templates/nginx.conf.j2
new file mode 100644
index 0000000..35730c2
--- /dev/null
+++ b/roles/setup-synapse/templates/nginx.conf.j2
@@ -0,0 +1,46 @@
+server {
+    listen         80;
+    server_name    {{ server_name }};
+    return         301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen 8448 ssl http2;  # for federation (skip if pointing SRV or .well-known to port 443)
+    gzip off;
+    server_name {{ server_name }};
+
+    ssl_certificate     "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem";
+    ssl_certificate_key "/etc/letsencrypt/live/{{ server_name }}/privkey.pem";
+    ssl_session_cache   shared:NGX_SSL_CACHE:10m;
+    ssl_session_timeout 12h;
+    ssl_protocols       TLSv1.3 TLSv1.2;
+    ssl_ciphers		"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
+    ssl_dhparam         "/etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem";
+    ssl_ecdh_curve      X25519:secp521r1:secp384r1:prime256v1;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+
+    location / {  
+        return 301 https://element.{{ server_name }};
+    }
+
+    location /_matrix {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+    # This can be skipped if you're using port 8448 on {{ server_name }} for federation:
+    location /.well-known/matrix/server {
+        return 200 '{ "m.server": "{{ server_name }}:8448" }';
+        add_header content-type application/json;
+    }
+
+    location /.well-known/matrix/client {
+        return 200 '{ "m.homeserver": { "base_url": "https://{{ server_name }}" }, "im.vector.riot.jitsi": { "preferredDomain": "jitsi.riot.im" } }';
+        add_header access-control-allow-origin *;
+        add_header content-type application/json;
+    }
+
+}
diff --git a/setup.yml b/setup.yml
new file mode 100644
index 0000000..e787b89
--- /dev/null
+++ b/setup.yml
@@ -0,0 +1,7 @@
+
+- name: "Creates a basic Synapse server."
+  hosts: matrix_servers
+  gather_facts: true
+
+  roles:
+    - setup-synapse