diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e018879..a3899f35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,25 @@ +# 2020-06-05 + +## SMS bridging support + +Thanks to [benkuly](https://github.com/benkuly)'s efforts, the playbook now supports bridging to SMS (with one telephone number only) via [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge). + +See our [Setting up Matrix SMS bridging](docs/configuring-playbook-matrix-bridge-sms.md) documentation page for getting started. + + +# 2020-05-19 + +## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. + +Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. + +*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` + + # 2020-04-28 ## Newer IRC bridge (with potential breaking change) @@ -11,6 +33,7 @@ If you did not include `mappings` in your configuration for IRC, no change is necessary. `mappings` is not part of the default configuration. + # 2020-04-23 ## Slack bridging support diff --git a/README.md b/README.md index 6f7d25e0..a5ec78d3 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) +- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS + - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients @@ -144,6 +146,8 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) +- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional) + - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) - [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 01f6946f..4ca9646e 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -1,24 +1,29 @@ # Alternative architectures + As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. To that end add the following variable to your `vars.yaml` file: + +```yaml +matrix_architecture: ``` -matrix_architecture = -``` + Currently supported architectures are the following: - `amd64` (the default) - `arm64` - `arm32` -so for the Raspberry Pi the following should be in your `vars.yaml` file: -``` -matrix_architecture = "arm32" +so for the Raspberry Pi, the following should be in your `vars.yaml` file: + +```yaml +matrix_architecture: "arm32" ``` ## Implementation details -This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. + +This subsection is used for a reminder, how the different roles implement architecture differences. This is **not** aimed at the users, so one does not have to do anything based on this subsection. On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: -- matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, -- matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, -- matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. +- `matrix-bridge-mautrix-facebook`: there is a pre-built Docker image for `arm64` as well +- `matrix-bridge-mautrix-hangouts`: there is a pre-built Docker image for `arm64` as well +- `matrix-nginx-proxy`: Certbot has a pre-built Docker image for both `arm32` and `arm64`, however tagging is used, which requires special handling. diff --git a/docs/ansible.md b/docs/ansible.md index e098c8a4..1ba430f4 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -49,7 +49,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -devture/ansible:2.8.1-r0 +devture/ansible:2.9.9-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). @@ -60,7 +60,7 @@ The `/work` directory contains the playbook's code. You can execute `ansible-playbook` commands as per normal now. -### If you don't use SSH keys for authentication +### If you don't use SSH keys for authentication If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`). To authenticate at your server using a password, you need to add a package. So, when you are in the shell of the ansible docker container (the previously used `docker run -it ...` command), run: diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index dbd11226..96f8377e 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -23,7 +23,7 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" 4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. 5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`) 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id` +7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 0933fb54..d9721a4e 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password" ### Configuations for sending emails using Sendgrid -An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. +An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`. diff --git a/docs/configuring-playbook-matrix-bridge-sms.md b/docs/configuring-playbook-matrix-bridge-sms.md new file mode 100644 index 00000000..c208bb81 --- /dev/null +++ b/docs/configuring-playbook-matrix-bridge-sms.md @@ -0,0 +1,30 @@ +# Setting up matrix-sms-bridge (optional) + +The playbook can install and configure +[matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for you. + +See the project page to learn what it does and why it might be useful to you. + +First you need to ensure, that the bridge has unix read and write rights to your modem. On debian based distributions there is nothing to do. On others distributions you either add a group `dialout` to your host and assign it to your modem or you give the matrix user or group access to your modem. + +To enable the bridge just use the following +playbook configuration: + + +```yaml +matrix_sms_bridge_enabled: true +matrix_sms_bridge_gammu_modem: "/dev/serial/by-id/myDeviceId" +# generate a secret passwort e.g. with pwgen -s 64 1 +matrix_sms_bridge_database_password: "" +# (optional) a room id to a default room +matrix_sms_bridge_default_room: "" +# (optional) gammu reset frequency (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) +matrix_sms_bridge_gammu_reset_frequency: 3600 +# (optional) group with unix read and write rights to modem +matrix_sms_bridge_modem_group: 'dialout' +``` + + +## Usage + +Read the [user guide](https://github.com/benkuly/matrix-sms-bridge/blob/master/README.md#user-guide) to see how this bridge works. diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 87b151a4..21d1c332 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -11,6 +11,8 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE ``` +You can generate a strong shared secret with a command like this: `pwgen -s 64 1` + ## Authenticating only using a password provider diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 7e911095..208db5bb 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -102,3 +102,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) + +- [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 826a7494..21a4343e 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -136,7 +136,7 @@ backend matrix-backend reqirep ^(GET|POST|HEAD)\ /.well-known/matrix/(.*) \1\ /\2 # Rewrite redirects as ProxyPassReverse does acl response-is-redirect res.hdr(Location) -m found - rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.exapmle.com/.well-known/matrix/\2 if response-is-redirect + rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.example.com/.well-known/matrix/\2 if response-is-redirect ``` Make sure to: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index ab33b9de..9c70934d 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,6 +14,7 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) +- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands ## Purging unused data with synapse-janitor @@ -76,3 +77,23 @@ Don't forget that disk space only ever gets released after a [`FULL` Postgres `V Unfortunately, at this time the playbook can't help you run this **experimental tool**. Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. + +## Browse and manipulate the database + +When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +First, set up an SSH tunnel to your matrix server (skip if it is your local machine): + +``` +# you may replace 1799 with an arbitrary port unbound on both machines +ssh -L 1799:localhost:1799 matrix.DOMAIN +``` + +Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container: + +``` +docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer +``` + +You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`) + +⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations. diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index 8530d8bc..fe289a86 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -4,14 +4,14 @@ This playbook not only installs the various Matrix services for you, but can als If you want to be notified when new versions of Synapse are released, you should join the Synapse Homeowners room: [#homeowners:matrix.org](https://matrix.to/#/#homeowners:matrix.org). -To upgrade the services: +To upgrade services: - update your playbook directory (`git pull`), so you'd obtain everything new we've done -- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incomptabile changes that you need to take care of +- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of - re-run the [playbook setup](installing.md): `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all` - restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start` -**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). +**Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 9a26d769..5f551eb4 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,16 +6,16 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* +- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. +- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. -- either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. +- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. -- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). +- An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). -- properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) +- Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP) +- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/docs/self-building.md b/docs/self-building.md index 85d09812..e4912090 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-riot-web` - `matrix-coturn` - `matrix-ma1sd` +- `matrix-mailer` - `matrix-mautrix-facebook` - `matrix-mautrix-hangouts` - `matrix-mx-puppet-skype` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 382897fd..ff69cd8f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -88,7 +88,7 @@ matrix_appservice_webhooks_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" @@ -276,7 +276,6 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # ###################################################################### - ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -305,6 +304,31 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # ###################################################################### +###################################################################### +# +# matrix-sms-bridge +# +###################################################################### + +# We don't enable bridges by default. +matrix_sms_bridge_enabled: false + +matrix_sms_bridge_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" + +matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" + +###################################################################### +# +# /matrix-sms-bridge +# +###################################################################### ###################################################################### # @@ -513,11 +537,13 @@ matrix_jitsi_web_stun_servers: | # ###################################################################### -# By default, this playbook sets up a postfix mailer server (running in a container). +# By default, this playbook sets up an exim mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. # Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true +matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + ###################################################################### # # /matrix-mailer @@ -612,11 +638,16 @@ matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" + matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" +# Not proxying the user directory search to the identity server by default anymore, +# because it currently leaks data. +# See: https://github.com/ma1uta/ma1sd/issues/44 +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -646,7 +677,13 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} -matrix_ssl_architecture: "{{ matrix_architecture }}" +matrix_ssl_architecture: "{{ + { + 'amd64': 'amd64', + 'arm32': 'arm32v6', + 'arm64': 'arm64v8', + }[matrix_architecture] +}}" ###################################################################### # @@ -753,7 +790,7 @@ matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" # # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. -matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" +matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 1844f299..76c363e4 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,8 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" # This is where you access Jitsi. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" +matrix_federation_public_port: 8448 + matrix_user_username: "matrix" matrix_user_groupname: "matrix" @@ -32,6 +34,13 @@ matrix_systemd_path: "/etc/systemd/system" matrix_cron_path: "/etc/cron.d" matrix_local_bin_path: "/usr/local/bin" +matrix_host_command_docker: "/usr/bin/env docker" +matrix_host_command_sleep: "/usr/bin/env sleep" +matrix_host_command_chown: "/usr/bin/env chown" +matrix_host_command_fusermount: "/usr/bin/env fusermount" +matrix_host_command_openssl: "/usr/bin/env openssl" +matrix_host_command_systemctl: "/usr/bin/env systemctl" + matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index de0f5722..8349a15c 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,4 +1,4 @@ #jinja2: lstrip_blocks: "True" { - "m.server": "{{ matrix_server_fqn_matrix }}:8448" + "m.server": "{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}" } diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 0192f97d..97ad8e89 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -39,100 +39,7 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false -matrix_appservice_discord_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Domain part of the bridge, e.g. matrix.org - domain: {{ matrix_appservice_discord_bridge_domain }} - # This should be your publically facing URL because Discord may use it to - # fetch media from the media store. - homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} - # Interval at which to process users in the 'presence queue'. If you have - # 5 users, one user will be processed every 500 milliseconds according to the - # value below. This has a minimum value of 250. - # WARNING: This has a high chance of spamming the homeserver with presence - # updates since it will send one each time somebody changes state or is online. - presenceInterval: 500 - # Disable setting presence for 'ghost users' which means Discord users on Matrix - # will not be shown as away or online. - disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }} - # Disable sending typing notifications when somebody on Discord types. - disableTypingNotifications: false - # Disable deleting messages on Discord if a message is redacted on Matrix. - disableDeletionForwarding: false - # Enable users to bridge rooms using !discord commands. See - # https://t2bot.io/discord for instructions. - enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }} - # Disable sending of read receipts for Matrix events which have been - # successfully bridged to Discord. - disableReadReceipts: false - # Disable Join Leave echos from matrix - disableJoinLeaveNotifications: false - # Authentication configuration for the discord bot. - auth: - clientID: {{ matrix_appservice_discord_client_id|string|to_json }} - botToken: {{ matrix_appservice_discord_bot_token }} - logging: - # What level should the logger output to the console at. - console: "warn" #silly, verbose, info, http, warn, error, silent - lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format - # files: - # - file: "debug.log" - # disable: - # - "PresenceHandler" # Will not capture presence logging - # - file: "warn.log" # Will capture warnings - # level: "warn" - # - file: "botlogs.log" # Will capture logs from DiscordBot - # level: "info" - # enable: - # - "DiscordBot" - database: - userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" - # You may either use SQLite or Postgresql for the bridge database, which contains - # important mappings for events and user puppeting configurations. - # Use the filename option for SQLite, or connString for Postgresql. - # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite - # WARNING: You will almost certainly be fine with sqlite unless your bridge - # is in heavy demand and you suffer from IO slowness. - filename: "/data/discord.db" - # connString: "postgresql://user:password@localhost/database_name" - room: - # Set the default visibility of alias rooms, defaults to "public". - # One of: "public", "private" - defaultVisibility: "public" - channel: - # Pattern of the name given to bridged rooms. - # Can use :guild for the guild name and :name for the channel name. - namePattern: "[Discord] :guild :name" - # Changes made to rooms when a channel is deleted. - deleteOptions: - # Prefix the room name with a string. - #namePrefix: "[Deleted]" - # Prefix the room topic with a string. - #topicPrefix: "This room has been deleted" - # Disable people from talking in the room by raising the event PL to 50 - disableMessaging: false - # Remove the discord alias from the room. - unsetRoomAlias: true - # Remove the room from the directory. - unlistFromDirectory: true - # Set the room to be unavaliable for joining without an invite. - setInviteOnly: true - # Make all the discord users leave the room. - ghostsLeave: true - limits: - # Delay in milliseconds between discord users joining a room. - roomGhostJoinDelay: 6000 - # Delay in milliseconds before sending messages to discord to avoid echos. - # (Copies of a sent message may arrive from discord before we've - # fininished handling it, causing us to echo it back to the room) - discordSendDelay: 750 - ghosts: - # Pattern for the ghosts nick, available is :nick, :username, :tag and :id - nickPattern: ":nick" - # Pattern for the ghosts username, available is :username, :tag and :id - usernamePattern: ":username#:tag" +matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_discord_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index d736fa7c..3678b35b 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -60,7 +60,7 @@ # We intentionally suppress Ansible changes. - name: Generate AppService Discord invite link shell: >- - /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen + {{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord-link-gen --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_appservice_discord_config_path }}:/cfg diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 new file mode 100644 index 00000000..e91c60de --- /dev/null +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -0,0 +1,93 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Domain part of the bridge, e.g. matrix.org + domain: {{ matrix_appservice_discord_bridge_domain }} + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }} + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: false + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }} + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: false + # Disable Join Leave echos from matrix + disableJoinLeaveNotifications: false +# Authentication configuration for the discord bot. +auth: + clientID: {{ matrix_appservice_discord_client_id|string|to_json }} + botToken: {{ matrix_appservice_discord_bot_token }} +logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + # files: + # - file: "debug.log" + # disable: + # - "PresenceHandler" # Will not capture presence logging + # - file: "warn.log" # Will capture warnings + # level: "warn" + # - file: "botlogs.log" # Will capture logs from DiscordBot + # level: "info" + # enable: + # - "DiscordBot" +database: + userStorePath: "/data/user-store.db" + roomStorePath: "/data/room-store.db" + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "/data/discord.db" + # connString: "postgresql://user:password@localhost/database_name" +room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: "public" +channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: "[Discord] :guild :name" + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true +limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 +ghosts: + # Pattern for the ghosts nick, available is :nick, :username, :tag and :id + nickPattern: ":nick" + # Pattern for the ghosts username, available is :username, :tag and :id + usernamePattern: ":username#:tag" diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 9b0ac514..d512cd88 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-discord -ExecStartPre=-/usr/bin/docker rm matrix-appservice-discord +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-discord -ExecStop=-/usr/bin/docker rm matrix-appservice-discord +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-discord +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-discord Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 5f6d0503..2cbb3e5f 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" @@ -346,141 +346,7 @@ matrix_appservice_irc_systemd_wanted_services_list: [] matrix_appservice_irc_appservice_token: '' matrix_appservice_irc_homeserver_token: '' -matrix_appservice_irc_configuration_yaml: | - #jinja2: lstrip_blocks: True - homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: {{ matrix_appservice_irc_homeserver_url }} - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - media_url: {{ matrix_appservice_irc_homeserver_media_url }} - - # Drop Matrix messages which are older than this number of seconds, according to - # the event's origin_server_ts. - # If the bridge is down for a while, the homeserver will attempt to send all missed - # events on reconnection. These events may be hours old, which can be confusing to - # IRC users if they are then bridged. This option allows these old messages to be - # dropped. - # CAUTION: This is a very coarse heuristic. Federated homeservers may have different - # clock times and hence produce different origin_server_ts values, which may be old - # enough to cause *all* events from the homeserver to be dropped. - # Default: 0 (don't ever drop) - # dropMatrixMessagesAfterSecs: 300 # 5 minutes - - # The 'domain' part for user IDs on this home server. Usually (but not always) - # is the "domain name" part of the HS URL. - domain: {{ matrix_appservice_irc_homeserver_domain }} - - # Should presence be enabled for matrix clients on this bridge. If disabled on the - # homeserver then it should also be disabled here to avoid excess traffic. - # Default: true - enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} - - ircService: - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot - # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in - # the database. - # - # To generate a .pem file: - # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # - # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # for storage in the database. Passwords are stored by using the admin room command - # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification - - # Config for Matrix -> IRC bridging - matrixHandler: - # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - eventCacheSize: 4096 - - servers: {{ matrix_appservice_irc_ircService_servers|to_json }} - - # Configuration for an ident server. If you are running a public bridge it is - # advised you setup an ident server so IRC mods can ban specific matrix users - # rather than the application service itself. - ident: - # True to listen for Ident requests and respond with the - # matrix user's user_id (converted to ASCII, respecting RFC 1413). - # Default: false. - enabled: false - # The port to listen on for incoming ident requests. - # Ports below 1024 require root to listen on, and you may not want this to - # run as root. Instead, you can get something like an Apache to yank up - # incoming requests to 113 to a high numbered port. Set the port to listen - # on instead of 113 here. - # Default: 113. - port: 1113 - # The address to listen on for incoming ident requests. - # Default: 0.0.0.0 - address: "::" - - # Configuration for logging. Optional. Default: console debug level logging - # only. - logging: - # Level to log on console/logfile. One of error|warn|info|debug - level: "debug" - # The file location to log to. This is relative to the project directory. - #logfile: "debug.log" - # The file location to log errors to. This is relative to the project - # directory. - #errfile: "errors.log" - # Whether to log to the console or not. - toConsole: true - # The max number of files to keep. Files will be overwritten eventually due - # to rotations. - maxFiles: 5 - - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 - # Metrics will then be available via GET /metrics on the bridge listening port (-p). - metrics: - # Whether to actually enable the metric endpoint. Default: false - enabled: true - # When collecting remote user active times, which "buckets" should be used. Defaults are given below. - # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). - remoteUserAgeBuckets: - - "1h" - - "1d" - - "1w" - - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # - provisioning: - # True to enable the provisioning HTTP endpoint. Default: false. - enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 - - # Options here are generally only applicable to large-scale bridges and may have - # consequences greater than other options in this configuration file. - advanced: - # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited - # however for large bridges it is important to rate limit the bridge to avoid - # accidentally overloading the homeserver. Defaults to 1000, which should be - # enough for the vast majority of use cases. - maxHttpSockets: 1000 - - # Use an external database to store bridge state. - database: - # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "nedb" - # Either a PostgreSQL connection string, or a path to the NeDB storage directory. - # For postgres, it must start with postgres:// - # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///data" +matrix_appservice_irc_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 7206d25e..5e313347 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -58,7 +58,7 @@ register: irc_passkey_file - name: Generate Appservice IRC passkey if it doesn't exist - shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" become: true become_user: "{{ matrix_user_username }}" when: "not irc_passkey_file.stat.exists" @@ -93,7 +93,7 @@ # to produce a final registration.yaml file, as we desire. - name: Generate Appservice IRC registration-template.yaml shell: >- - /usr/bin/docker run --rm --name matrix-appservice-irc-gen + {{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc-gen --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_appservice_irc_config_path }}:/config:z diff --git a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 new file mode 100644 index 00000000..3daa1898 --- /dev/null +++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -0,0 +1,134 @@ +#jinja2: lstrip_blocks: True +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: {{ matrix_appservice_irc_homeserver_url }} + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + media_url: {{ matrix_appservice_irc_homeserver_media_url }} + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + # dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: {{ matrix_appservice_irc_homeserver_domain }} + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} + +ircService: + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + + servers: {{ matrix_appservice_irc_ircService_servers|to_json }} + + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "debug" + # The file location to log to. This is relative to the project directory. + #logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + #errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # $ npm install prom-client@6.3.0 + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: true + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 + +# Use an external database to store bridge state. +database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "nedb" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "nedb:///data" diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 53e5b8e3..aa6141d6 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc -ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -34,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-/usr/bin/docker kill matrix-appservice-irc -ExecStop=-/usr/bin/docker rm matrix-appservice-irc +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-irc +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-irc Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index d68c1178..58dde6a0 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -45,21 +45,7 @@ matrix_appservice_slack_appservice_token: '' matrix_appservice_slack_homeserver_token: '' matrix_appservice_slack_id_token: '' -matrix_appservice_slack_configuration_yaml: | - slack_hook_port: {{ matrix_appservice_slack_slack_port }} - inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}" - bot_username: "{{ matrix_appservice_slack_bot_name }}" - username_prefix: {{ matrix_appservice_slack_user_prefix }} - - homeserver: - media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" - url: "{{ matrix_appservice_slack_homeserver_url }}" - server_name: "{{ matrix_domain }}" - - dbdir: "/data" - - matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" - +matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_slack_configuration_extension_yaml: | #slack_hook_port: 9898 diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 new file mode 100644 index 00000000..8f48d317 --- /dev/null +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: True +slack_hook_port: {{ matrix_appservice_slack_slack_port }} +inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}" +bot_username: "{{ matrix_appservice_slack_bot_name }}" +username_prefix: {{ matrix_appservice_slack_user_prefix }} + +homeserver: + media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" + url: "{{ matrix_appservice_slack_homeserver_url }}" + server_name: "{{ matrix_domain }}" + +dbdir: "/data" + +matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 8b3d1f9d..de773ff9 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-slack -ExecStartPre=-/usr/bin/docker rm matrix-appservice-slack +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \ {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-slack -ExecStop=-/usr/bin/docker rm matrix-appservice-slack +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-slack +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-slack Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 1b2c9940..0fb5abbc 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -49,35 +49,7 @@ matrix_appservice_webhooks_api_secret: '' # Logging information (info and verbose is available) default is: info matrix_appservice_webhooks_log_level: 'info' -matrix_appservice_webhooks_configuration_yaml: | - - # Configuration specific to the application service. All fields (unless otherwise marked) are required. - homeserver: - # The domain for the client-server API calls. - url: "{{ matrix_appservice_webhooks_homeserver_url }}" - - # The domain part for user IDs on this home server. Usually, but not always, this is the same as the - # home server's URL. - domain: "{{ matrix_domain }}" - - # Configuration specific to the bridge. All fields (unless otherwise marked) are required. - webhookBot: - # The localpart to use for the bot. May require re-registering the application service. - localpart: "_webhook" - - # Provisioning API options - provisioning: - # Your secret for the API. Required for all provisioning API requests. - secret: '{{ matrix_appservice_webhooks_api_secret }}' - - # Configuration related to the web portion of the bridge. Handles the inbound webhooks - web: - hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" - - logging: - console: true - consoleLevel: {{ matrix_appservice_webhooks_log_level }} - writeFiles: false +matrix_appservice_webhooks_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_webhooks_configuration_extension_yaml: | # diff --git a/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 new file mode 100644 index 00000000..49751624 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 @@ -0,0 +1,28 @@ +#jinja2: lstrip_blocks: True +# Configuration specific to the application service. All fields (unless otherwise marked) are required. +homeserver: + # The domain for the client-server API calls. + url: "{{ matrix_appservice_webhooks_homeserver_url }}" + + # The domain part for user IDs on this home server. Usually, but not always, this is the same as the + # home server's URL. + domain: "{{ matrix_domain }}" + +# Configuration specific to the bridge. All fields (unless otherwise marked) are required. +webhookBot: + # The localpart to use for the bot. May require re-registering the application service. + localpart: "_webhook" + +# Provisioning API options +provisioning: + # Your secret for the API. Required for all provisioning API requests. + secret: '{{ matrix_appservice_webhooks_api_secret }}' + +# Configuration related to the web portion of the bridge. Handles the inbound webhooks +web: + hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" + +logging: + console: true + consoleLevel: {{ matrix_appservice_webhooks_log_level }} + writeFiles: false diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index cde798df..b05f8a27 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks -ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-webhooks \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks -ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 3c09dafd..610bcc11 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -38,160 +38,7 @@ matrix_mautrix_facebook_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_facebook_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_facebook_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_facebook_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_facebook_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29319 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-facebook.db - - # Public part of web server for out-of-Matrix interaction with the bridge. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: false - # The prefix to use in the public-facing endpoints. - prefix: /public - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: https://example.com/public - - # The unique ID of this appservice. - id: facebook - # Username of the appservice bot. - bot_username: facebookbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `facebook_{localpart}={server}` is a good value. - community_template: null - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (FB)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Facebook account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }} - # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast - # presence, but then it won't send other users' presence to the client. - presence: true - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_facebook_homeserver_domain }}': user - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - colored: - (): mautrix_facebook.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - fbchat: - level: DEBUG - hbmqtt: - level: INFO - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] +matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_facebook_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 new file mode 100644 index 00000000..7da7b588 --- /dev/null +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -0,0 +1,194 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_facebook_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_facebook_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_facebook_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-facebook.db + + # Public part of web server for out-of-Matrix interaction with the bridge. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.com/public + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: null + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (FB)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Facebook account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }} + # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Settings for backfilling messages from Facebook. + backfill: + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when backfilling history from Facebook. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: false + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_facebook_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + fbchat: + level: DEBUG + hbmqtt: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index e0ac9084..444423c1 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -11,9 +11,9 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-facebook -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-facebook -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \ {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-facebook -ExecStop=-/usr/bin/docker rm matrix-mautrix-facebook +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8de4576f..31f4fe98 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -40,152 +40,7 @@ matrix_mautrix_hangouts_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_hangouts_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_hangouts_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_hangouts_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_hangouts_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_hangouts_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-hangouts.db - - # The unique ID of this appservice. - id: hangouts - # Username of the appservice bot. - bot_username: hangoutsbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Hangouts bridge bot - bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_hangouts_appservice_token }}" - hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Hangouts users. - # {userid} is replaced with the user ID of the Hangouts user. - username_template: "hangouts_{userid}" - # Displayname template for Hangouts users. - # {displayname} is replaced with the display name of the Hangouts user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{full_name} (Hangouts)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!HO" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 20 - # Whether or not the Hangouts users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Hangouts account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Public website and API configs - web: - # Auth server config - auth: - # Publicly accessible base URL for the login endpoints. - # The prefix below is not implicitly added. This URL and all subpaths should be proxied - # or otherwise pointed to the appservice's webserver to the path specified below (prefix). - # This path should usually include a trailing slash. - # Internal prefix in the appservice web server for the login endpoints. - public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login" - prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login" - - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_hangouts_homeserver_domain }}': user - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - colored: - (): mautrix_hangouts.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - hangups: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] +matrix_mautrix_hangouts_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_hangouts_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 new file mode 100644 index 00000000..f274b203 --- /dev/null +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -0,0 +1,145 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_hangouts_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_hangouts_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_hangouts_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-hangouts.db + + # The unique ID of this appservice. + id: hangouts + # Username of the appservice bot. + bot_username: hangoutsbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Hangouts bridge bot + bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_hangouts_appservice_token }}" + hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Hangouts users. + # {userid} is replaced with the user ID of the Hangouts user. + username_template: "hangouts_{userid}" + # Displayname template for Hangouts users. + # {displayname} is replaced with the display name of the Hangouts user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{full_name} (Hangouts)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!HO" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the Hangouts users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Hangouts account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Public website and API configs + web: + # Auth server config + auth: + # Publicly accessible base URL for the login endpoints. + # The prefix below is not implicitly added. This URL and all subpaths should be proxied + # or otherwise pointed to the appservice's webserver to the path specified below (prefix). + # This path should usually include a trailing slash. + # Internal prefix in the appservice web server for the login endpoints. + public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login" + prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login" + + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_hangouts_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_hangouts.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + hangups: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index c110ed79..f33aff63 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -11,9 +11,9 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \ {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-hangouts -ExecStop=-/usr/bin/docker rm matrix-mautrix-hangouts +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b491dce8..d3990b68 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" @@ -51,405 +51,7 @@ matrix_mautrix_telegram_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_telegram_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_telegram_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_telegram_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_telegram_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_telegram_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-telegram.db - - # Public part of web server for out-of-Matrix interaction with the bridge. - # Used for things like login if the user wants to make sure the 2FA password isn't stored in - # the HS database. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: true - # The prefix to use in the public-facing endpoints. - prefix: {{ matrix_mautrix_telegram_public_endpoint }} - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: {{ matrix_mautrix_telegram_appservice_public_external }} - - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like Dimension (https://dimension.t2bot.io/). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: false - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - - # The unique ID of this appservice. - id: telegram - # Username of the appservice bot. - bot_username: telegrambot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Telegram bridge bot - bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_telegram_appservice_token }}" - hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Telegram users. - # {userid} is replaced with the user ID of the Telegram user. - username_template: "telegram_{userid}" - # Localpart template of room aliases for Telegram portal rooms. - # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) - alias_template: "telegram_{groupname}" - # Displayname template for Telegram users. - # {displayname} is replaced with the display name of the Telegram user. - displayname_template: "{displayname} (Telegram)" - - # Set the preferred order of user identifiers which to use in the Matrix puppet display name. - # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user - # ID is used. - # - # If the bridge is working properly, a phone number or an username should always be known, but - # the other one can very well be empty. - # - # Valid keys: - # "full name" (First and/or last name) - # "full name reversed" (Last and/or first name) - # "first name" - # "last name" - # "username" - # "phone number" - displayname_preference: - - full name - - username - - phone number - # Maximum length of displayname - displayname_max_length: 100 - - # Maximum number of members to sync per portal when starting up. Other members will be - # synced when they send messages. The maximum is 10000, after which the Telegram server - # will not send any more members. - # Defaults to no local limit (-> limited to 10000 by server) - max_initial_member_sync: -1 - # Whether or not to sync the member list in channels. - # If no channel admins have logged into the bridge, the bridge won't be able to sync the member - # list regardless of this setting. - sync_channel_members: true - # Whether or not to skip deleted members when syncing members. - skip_deleted_members: true - # Whether or not to automatically synchronize contacts and chats of Matrix users logged into - # their Telegram account at startup. - startup_sync: true - # Number of most recently active dialogs to check when syncing chats. - # Dialogs include groups and private chats, but only groups are synced. - # Set to 0 to remove limit. - sync_dialog_limit: 30 - # Whether or not to sync and create portals for direct chats at startup. - sync_direct_chats: false - # The maximum number of simultaneous Telegram deletions to handle. - # A large number of simultaneous redactions could put strain on your homeserver. - max_telegram_delete: 10 - # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) - # at startup and when creating a bridge. - sync_matrix_state: true - # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix - # login website (see appservice.public config section) - allow_matrix_login: true - # Whether or not to bridge plaintext highlights. - # Only enable this if your displayname_template has some static part that the bridge can use to - # reliably identify what is a plaintext highlight. - plaintext_highlights: false - # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. - public_portals: true - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Telegram account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }} - # Set to false to disable link previews in messages sent to Telegram. - telegram_link_preview: true - # Use inline images instead of a separate message for the caption. - # N.B. Inline images are not supported on all clients (e.g. Riot iOS). - inline_images: false - # Maximum size of image in megabytes before sending to Telegram as a document. - image_as_file_size: 10 - # Maximum size of Telegram documents in megabytes to bridge. - max_document_size: 100 - # Enable experimental parallel file transfer, which makes uploads/downloads much faster by - # streaming from/to Matrix and using many connections for Telegram. - # Note that generating HQ thumbnails for videos is not possible with streamed transfers. - parallel_file_transfer: false - # Whether or not created rooms should have federation enabled. - # If false, created portal rooms will never be federated. - federate_rooms: true - # Settings for converting animated stickers. - animated_sticker: - # Format to which animated stickers should be converted. - # disable - No conversion, send as-is (gzipped lottie) - # png - converts to non-animated png (fastest), - # gif - converts to animated gif, but loses transparency - # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support - target: gif - # Arguments for converter. All converters take width and height. - # GIF converter takes background as a hex color. - args: - width: 256 - height: 256 - background: "020202" # only for gif - fps: 30 # only for webm - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Overrides for base power levels. - initial_power_level_overrides: - user: {} - group: {} - - # Whether to bridge Telegram bot messages as m.notices or m.texts. - bot_messages_as_notices: true - bridge_notices: - # Whether or not Matrix bot messages (type m.notice) should be bridged. - default: false - # List of user IDs for whom the previous flag is flipped. - # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but - # notices from users listed here will be bridged. - exceptions: [] - - # Some config options related to Telegram message deduplication. - # The default values are usually fine, but some debug messages/warnings might recommend you - # change these. - deduplication: - # Whether or not to check the database if the message about to be sent is a duplicate. - pre_db_check: false - # The number of latest events to keep when checking for duplicates. - # You might need to increase this on high-traffic bridge instances. - cache_queue_length: 20 - - - # The formats to use when sending messages to Telegram via the relay bot. - # - # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. - # - # Available variables: - # $sender_displayname - The display name of the sender (e.g. Example User) - # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) - # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) - # $message - The message content as HTML - message_formats: - m.text: "$sender_displayname: $message" - m.notice: "$sender_displayname: $message" - m.emote: "* $sender_displayname $message" - m.file: "$sender_displayname sent a file: $message" - m.image: "$sender_displayname sent an image: $message" - m.audio: "$sender_displayname sent an audio file: $message" - m.video: "$sender_displayname sent a video: $message" - m.location: "$sender_displayname sent a location: $message" - # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated - # users are sent to telegram. All fields in message_formats are supported. Additionally, the - # Telegram user info is available in the following variables: - # $displayname - Telegram displayname - # $username - Telegram username (may not exist) - # $mention - Telegram @username or displayname mention (depending on which exists) - emote_format: "* $mention $formatted_body" - - # The formats to use when sending state events to Telegram via the relay bot. - # - # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. - # In name_change events, `$prev_displayname` is the previous displayname. - # - # Set format to an empty string to disable the messages for that event. - state_event_formats: - join: "$displayname joined the room." - leave: "$displayname left the room." - name_change: "$prev_displayname changed their name to $displayname" - - # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and - # `filter-mode` management commands. - # - # Filters do not affect direct chats. - # An empty blacklist will essentially disable the filter. - filter: - # Filter mode to use. Either "blacklist" or "whitelist". - # If the mode is "blacklist", the listed chats will never be bridged. - # If the mode is "whitelist", only the listed chats can be bridged. - mode: blacklist - # The list of group/channel IDs to filter. - list: [] - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!tg" - - # Permissions for using the bridge. - # Permitted values: - # relaybot - Only use the bridge via the relaybot, no access to commands. - # user - Relaybot level + access to commands to create bridges. - # puppeting - User level + logging in with a Telegram account. - # full - Full access to use the bridge, i.e. previous levels + Matrix login. - # admin - Full access to use the bridge and some extra administration commands. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_telegram_homeserver_domain }}': full - - # Options related to the message relay Telegram bot. - relaybot: - private_chat: - # List of users to invite to the portal when someone starts a private chat with the bot. - # If empty, private chats with the bot won't create a portal. - invite: [] - # Whether or not to bridge state change messages in relaybot private chats. - state_changes: true - # When private_chat_invite is empty, this message is sent to users /starting the - # relaybot. Telegram's "markdown" is supported. - message: This is a Matrix bridge relaybot and does not support direct chats - # List of users to invite to all group chat portals created by the bridge. - group_chat_invite: [] - # Whether or not the relaybot should not bridge events in unbridged group chats. - # If false, portals will be created when the relaybot receives messages, just like normal - # users. This behavior is usually not desirable, as it interferes with manually bridging - # the chat to another room. - ignore_unbridged_group_chat: true - # Whether or not to allow creating portals from Telegram. - authless_portals: true - # Whether or not to allow Telegram group admins to use the bot commands. - whitelist_group_admins: true - # Whether or not to ignore incoming events sent by the relay bot. - ignore_own_incoming_events: true - # List of usernames/user IDs who are also allowed to use the bot commands. - whitelist: [] - - # Telegram config - telegram: - # Get your own API keys at https://my.telegram.org/apps - api_id: {{ matrix_mautrix_telegram_api_id }} - api_hash: {{ matrix_mautrix_telegram_api_hash }} - # (Optional) Create your own bot at https://t.me/BotFather - bot_token: {{ matrix_mautrix_telegram_bot_token }} - - # Telethon connection options. - connection: - # The timeout in seconds to be used when connecting. - timeout: 120 - # How many times the reconnection should retry, either on the initial connection or when - # Telegram disconnects us. May be set to a negative or null value for infinite retries, but - # this is not recommended, since the program can get stuck in an infinite loop. - retries: 5 - # The delay in seconds to sleep between automatic reconnections. - retry_delay: 1 - # The threshold below which the library should automatically sleep on flood wait errors - # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold - # is 20s, the library will sleep automatically. If the error was for 21s, it would raise - # the error instead. Values larger than a day (86400) will be changed to a day. - flood_sleep_threshold: 60 - # How many times a request should be retried. Request are retried when Telegram is having - # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when - # there's a migrate error. May take a negative or null value for infinite retries, but this - # is not recommended, since some requests can always trigger a call fail (such as searching - # for messages). - request_retries: 5 - - # Device info sent to Telegram. - device_info: - # "auto" = OS name+version. - device_model: auto - # "auto" = Telethon version. - system_version: auto - # "auto" = mautrix-telegram version. - app_version: auto - lang_code: en - system_lang_code: en - - # Custom server to connect to. - server: - # Set to true to use these server settings. If false, will automatically - # use production server assigned by Telegram. Set to false in production. - enabled: false - # The DC ID to connect to. - dc: 2 - # The IP to connect to. - ip: 149.154.167.40 - # The port to connect to. 443 may not work, 80 is better and both are equally secure. - port: 80 - - # Telethon proxy configuration. - # You must install PySocks from pip for proxies to work. - proxy: - # Allowed types: disabled, socks4, socks5, http - type: disabled - # Proxy IP address and port. - address: 127.0.0.1 - port: 1080 - # Whether or not to perform DNS resolving remotely. - rdns: true - # Proxy authentication (optional). - username: "" - password: "" - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - precise: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: precise - loggers: - mau: - level: DEBUG - telethon: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] - +matrix_mautrix_telegram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_telegram_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 new file mode 100644 index 00000000..2a5b5785 --- /dev/null +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -0,0 +1,397 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_telegram_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_telegram_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_telegram_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-telegram.db + + # Public part of web server for out-of-Matrix interaction with the bridge. + # Used for things like login if the user wants to make sure the 2FA password isn't stored in + # the HS database. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: true + # The prefix to use in the public-facing endpoints. + prefix: {{ matrix_mautrix_telegram_public_endpoint }} + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: {{ matrix_mautrix_telegram_appservice_public_external }} + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like Dimension (https://dimension.t2bot.io/). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: telegram + # Username of the appservice bot. + bot_username: telegrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Telegram bridge bot + bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_telegram_appservice_token }}" + hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Telegram users. + # {userid} is replaced with the user ID of the Telegram user. + username_template: "telegram_{userid}" + # Localpart template of room aliases for Telegram portal rooms. + # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) + alias_template: "telegram_{groupname}" + # Displayname template for Telegram users. + # {displayname} is replaced with the display name of the Telegram user. + displayname_template: "{displayname} (Telegram)" + + # Set the preferred order of user identifiers which to use in the Matrix puppet display name. + # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user + # ID is used. + # + # If the bridge is working properly, a phone number or an username should always be known, but + # the other one can very well be empty. + # + # Valid keys: + # "full name" (First and/or last name) + # "full name reversed" (Last and/or first name) + # "first name" + # "last name" + # "username" + # "phone number" + displayname_preference: + - full name + - username + - phone number + # Maximum length of displayname + displayname_max_length: 100 + + # Maximum number of members to sync per portal when starting up. Other members will be + # synced when they send messages. The maximum is 10000, after which the Telegram server + # will not send any more members. + # Defaults to no local limit (-> limited to 10000 by server) + max_initial_member_sync: -1 + # Whether or not to sync the member list in channels. + # If no channel admins have logged into the bridge, the bridge won't be able to sync the member + # list regardless of this setting. + sync_channel_members: true + # Whether or not to skip deleted members when syncing members. + skip_deleted_members: true + # Whether or not to automatically synchronize contacts and chats of Matrix users logged into + # their Telegram account at startup. + startup_sync: true + # Number of most recently active dialogs to check when syncing chats. + # Dialogs include groups and private chats, but only groups are synced. + # Set to 0 to remove limit. + sync_dialog_limit: 30 + # Whether or not to sync and create portals for direct chats at startup. + sync_direct_chats: false + # The maximum number of simultaneous Telegram deletions to handle. + # A large number of simultaneous redactions could put strain on your homeserver. + max_telegram_delete: 10 + # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) + # at startup and when creating a bridge. + sync_matrix_state: true + # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix + # login website (see appservice.public config section) + allow_matrix_login: true + # Whether or not to bridge plaintext highlights. + # Only enable this if your displayname_template has some static part that the bridge can use to + # reliably identify what is a plaintext highlight. + plaintext_highlights: false + # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. + public_portals: true + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Telegram account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }} + # Set to false to disable link previews in messages sent to Telegram. + telegram_link_preview: true + # Use inline images instead of a separate message for the caption. + # N.B. Inline images are not supported on all clients (e.g. Riot iOS). + inline_images: false + # Maximum size of image in megabytes before sending to Telegram as a document. + image_as_file_size: 10 + # Maximum size of Telegram documents in megabytes to bridge. + max_document_size: 100 + # Enable experimental parallel file transfer, which makes uploads/downloads much faster by + # streaming from/to Matrix and using many connections for Telegram. + # Note that generating HQ thumbnails for videos is not possible with streamed transfers. + parallel_file_transfer: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (gzipped lottie) + # png - converts to non-animated png (fastest), + # gif - converts to animated gif, but loses transparency + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + target: gif + # Arguments for converter. All converters take width and height. + # GIF converter takes background as a hex color. + args: + width: 256 + height: 256 + background: "020202" # only for gif + fps: 30 # only for webm + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Overrides for base power levels. + initial_power_level_overrides: + user: {} + group: {} + + # Whether to bridge Telegram bot messages as m.notices or m.texts. + bot_messages_as_notices: true + bridge_notices: + # Whether or not Matrix bot messages (type m.notice) should be bridged. + default: false + # List of user IDs for whom the previous flag is flipped. + # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but + # notices from users listed here will be bridged. + exceptions: [] + + # Some config options related to Telegram message deduplication. + # The default values are usually fine, but some debug messages/warnings might recommend you + # change these. + deduplication: + # Whether or not to check the database if the message about to be sent is a duplicate. + pre_db_check: false + # The number of latest events to keep when checking for duplicates. + # You might need to increase this on high-traffic bridge instances. + cache_queue_length: 20 + + + # The formats to use when sending messages to Telegram via the relay bot. + # + # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content as HTML + message_formats: + m.text: "$sender_displayname: $message" + m.notice: "$sender_displayname: $message" + m.emote: "* $sender_displayname $message" + m.file: "$sender_displayname sent a file: $message" + m.image: "$sender_displayname sent an image: $message" + m.audio: "$sender_displayname sent an audio file: $message" + m.video: "$sender_displayname sent a video: $message" + m.location: "$sender_displayname sent a location: $message" + # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated + # users are sent to telegram. All fields in message_formats are supported. Additionally, the + # Telegram user info is available in the following variables: + # $displayname - Telegram displayname + # $username - Telegram username (may not exist) + # $mention - Telegram @username or displayname mention (depending on which exists) + emote_format: "* $mention $formatted_body" + + # The formats to use when sending state events to Telegram via the relay bot. + # + # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. + # In name_change events, `$prev_displayname` is the previous displayname. + # + # Set format to an empty string to disable the messages for that event. + state_event_formats: + join: "$displayname joined the room." + leave: "$displayname left the room." + name_change: "$prev_displayname changed their name to $displayname" + + # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and + # `filter-mode` management commands. + # + # Filters do not affect direct chats. + # An empty blacklist will essentially disable the filter. + filter: + # Filter mode to use. Either "blacklist" or "whitelist". + # If the mode is "blacklist", the listed chats will never be bridged. + # If the mode is "whitelist", only the listed chats can be bridged. + mode: blacklist + # The list of group/channel IDs to filter. + list: [] + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tg" + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Only use the bridge via the relaybot, no access to commands. + # user - Relaybot level + access to commands to create bridges. + # puppeting - User level + logging in with a Telegram account. + # full - Full access to use the bridge, i.e. previous levels + Matrix login. + # admin - Full access to use the bridge and some extra administration commands. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_telegram_homeserver_domain }}': full + + # Options related to the message relay Telegram bot. + relaybot: + private_chat: + # List of users to invite to the portal when someone starts a private chat with the bot. + # If empty, private chats with the bot won't create a portal. + invite: [] + # Whether or not to bridge state change messages in relaybot private chats. + state_changes: true + # When private_chat_invite is empty, this message is sent to users /starting the + # relaybot. Telegram's "markdown" is supported. + message: This is a Matrix bridge relaybot and does not support direct chats + # List of users to invite to all group chat portals created by the bridge. + group_chat_invite: [] + # Whether or not the relaybot should not bridge events in unbridged group chats. + # If false, portals will be created when the relaybot receives messages, just like normal + # users. This behavior is usually not desirable, as it interferes with manually bridging + # the chat to another room. + ignore_unbridged_group_chat: true + # Whether or not to allow creating portals from Telegram. + authless_portals: true + # Whether or not to allow Telegram group admins to use the bot commands. + whitelist_group_admins: true + # Whether or not to ignore incoming events sent by the relay bot. + ignore_own_incoming_events: true + # List of usernames/user IDs who are also allowed to use the bot commands. + whitelist: [] + +# Telegram config +telegram: + # Get your own API keys at https://my.telegram.org/apps + api_id: {{ matrix_mautrix_telegram_api_id }} + api_hash: {{ matrix_mautrix_telegram_api_hash }} + # (Optional) Create your own bot at https://t.me/BotFather + bot_token: {{ matrix_mautrix_telegram_bot_token }} + + # Telethon connection options. + connection: + # The timeout in seconds to be used when connecting. + timeout: 120 + # How many times the reconnection should retry, either on the initial connection or when + # Telegram disconnects us. May be set to a negative or null value for infinite retries, but + # this is not recommended, since the program can get stuck in an infinite loop. + retries: 5 + # The delay in seconds to sleep between automatic reconnections. + retry_delay: 1 + # The threshold below which the library should automatically sleep on flood wait errors + # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold + # is 20s, the library will sleep automatically. If the error was for 21s, it would raise + # the error instead. Values larger than a day (86400) will be changed to a day. + flood_sleep_threshold: 60 + # How many times a request should be retried. Request are retried when Telegram is having + # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when + # there's a migrate error. May take a negative or null value for infinite retries, but this + # is not recommended, since some requests can always trigger a call fail (such as searching + # for messages). + request_retries: 5 + + # Device info sent to Telegram. + device_info: + # "auto" = OS name+version. + device_model: auto + # "auto" = Telethon version. + system_version: auto + # "auto" = mautrix-telegram version. + app_version: auto + lang_code: en + system_lang_code: en + + # Custom server to connect to. + server: + # Set to true to use these server settings. If false, will automatically + # use production server assigned by Telegram. Set to false in production. + enabled: false + # The DC ID to connect to. + dc: 2 + # The IP to connect to. + ip: 149.154.167.40 + # The port to connect to. 443 may not work, 80 is better and both are equally secure. + port: 80 + + # Telethon proxy configuration. + # You must install PySocks from pip for proxies to work. + proxy: + # Allowed types: disabled, socks4, socks5, http + type: disabled + # Proxy IP address and port. + address: 127.0.0.1 + port: 1080 + # Whether or not to perform DNS resolving remotely. + rdns: true + # Proxy authentication (optional). + username: "" + password: "" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + precise: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: precise + loggers: + mau: + level: DEBUG + telethon: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 02264236..b0b4f643 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -11,21 +11,22 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_telegram_config_path }}:/config:z \ -v {{ matrix_mautrix_telegram_data_path }}:/data:z \ {{ matrix_mautrix_telegram_docker_image }} \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -41,8 +42,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram -ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index f83c78f0..e9929f96 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -35,175 +35,7 @@ matrix_mautrix_whatsapp_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_whatsapp_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_whatsapp_configuration_yaml: | - # Homeserver details. - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_whatsapp_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_whatsapp_homeserver_domain }} - # Application service host/registration related details. - # Changing these values requires regeneration of the registration. - - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_whatsapp_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - - # Database config. - database: - # The database type. "sqlite3" and "postgres" are supported. - type: sqlite3 - # The database URI. - # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string - # Postgres: Connection string. For example, postgres://user:password@host/database - uri: mautrix-whatsapp.db - # Maximum number of connections. Mostly relevant for Postgres. - max_open_conns: 20 - max_idle_conns: 2 - - # Path to the Matrix room state store. - state_store_path: ./mx-state.json - - # The unique ID of this appservice. - id: whatsapp - # Appservice bot details. - bot: - # Username of the appservice bot. - username: whatsappbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - displayname: WhatsApp bridge bot - avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr - - # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" - hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for WhatsApp users. - # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. - username_template: "{{ 'whatsapp_{{.}}' }}" - # Displayname template for WhatsApp users. - # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user - # {{ '{{.Jid}}' }} - phone number (international format) - # The following variables are also available, but will cause problems on multi-user instances: - # {{ '{{.Name}}' }} - display name from contact list - # {{ '{{.Short}}' }} - short display name from contact list - displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}" - # WhatsApp connection timeout in seconds. - connection_timeout: 20 - # Maximum number of times to retry connecting on connection error. - max_connection_attempts: 3 - # Number of seconds to wait between connection attempts. - # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts - connection_retry_delay: -1 - # Whether or not the bridge should send a notice to the user's management room when it retries connecting. - # If false, it will only report when it stops retrying. - report_connection_retry: true - # Maximum number of seconds to wait for chats to be sent at startup. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - chat_list_wait: 30 - # Maximum number of seconds to wait to sync portals before force unlocking message processing. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - portal_sync_wait: 600 - - # Whether or not to send call start/end notices to Matrix. - call_notices: - start: true - end: true - - # Number of chats to sync for new users. - initial_chat_sync_count: 10 - # Number of old messages to fill when creating new portal rooms. - initial_history_fill_count: 20 - # Maximum number of chats to sync when recovering from downtime. - # Set to -1 to sync all new chats during downtime. - recovery_chat_sync_limit: -1 - # Whether or not to sync history when recovering from downtime. - recovery_history_backfill: true - # Maximum number of seconds since last message in chat to skip - # syncing the chat in any case. This setting will take priority - # over both recovery_chat_sync_limit and initial_chat_sync_count. - # Default is 3 days = 259200 seconds - sync_max_chat_age: 259200 - - # Whether or not to sync with custom puppets to receive EDUs that - # are not normally sent to appservices. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} - - # Whether or not to invite own WhatsApp user's Matrix puppet into private - # chat portals when backfilling if needed. - # This always uses the default puppet instead of custom puppets due to - # rate limits and timestamp massaging. - invite_own_puppet_for_backfilling: true - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This can be useful if the previous field works fine, - # but causes room avatar/name bugs. - private_chat_portal_meta: false - - # Allow invite permission for user. User can invite any bots to room with whatsapp - # users (private chat and groups) - allow_user_invite: false - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!wa" - - # Permissions for using the bridge. - # Permitted values: - # user - Access to use the bridge to chat with a WhatsApp account. - # admin - User level and some additional administration tools - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user - - relaybot: - # Whether or not relaybot support is enabled. - enabled: false - # The management room for the bot. This is where all status notifications are posted and - # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting - # the command prefix completely like in user management rooms is not possible. - management: '!foo:example.com' - # List of users to invite to all created rooms that include the relaybot. - invites: [] - # The formats to use when sending messages to WhatsApp via the relaybot. - message_formats: - m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" - m.notice: "{{ '{{ .Sender.Displayname }}' }}:: {{ '{{ .Message }}' }}" - m.emote: "* {{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" - m.file: "{{ '{{ .Sender.Displayname }}' }}: sent a file" - m.image: "{{ '{{ .Sender.Displayname }}' }}: sent an image" - m.audio: "{{ '{{ .Sender.Displayname }}' }}: sent an audio file" - m.video: "{{ '{{ .Sender.Displayname }}' }}: sent a video" - m.location: "{{ '{{ .Sender.Displayname }}' }}: sent a location" - # Logging config. - logging: - # The directory for log files. Will be created if not found. - directory: ./logs - # Available variables: .Date for the file date and .Index for different log files on the same day. - file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}" - # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants - file_date_format: "2006-01-02" - # Log file permissions. - file_mode: 0600 - # Timestamp format for log entries in the Go time format. - timestamp_format: "Jan _2, 2006 15:04:05" - # Minimum severity for log messages. - # Options: debug, info, warn, error, fatal - print_level: debug +matrix_mautrix_whatsapp_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_whatsapp_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 new file mode 100644 index 00000000..a527a188 --- /dev/null +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -0,0 +1,169 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_whatsapp_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_whatsapp_homeserver_domain }} +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. + +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_whatsapp_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3" and "postgres" are supported. + type: sqlite3 + # The database URI. + # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database + uri: mautrix-whatsapp.db + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + + # Path to the Matrix room state store. + state_store_path: ./mx-state.json + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: whatsappbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: WhatsApp bridge bot + avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" + hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for WhatsApp users. + # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. + username_template: "{{ 'whatsapp_{{.}}' }}" + # Displayname template for WhatsApp users. + # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user + # {{ '{{.Jid}}' }} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{ '{{.Name}}' }} - display name from contact list + # {{ '{{.Short}}' }} - short display name from contact list + displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}" + # WhatsApp connection timeout in seconds. + connection_timeout: 20 + # Maximum number of times to retry connecting on connection error. + max_connection_attempts: 3 + # Number of seconds to wait between connection attempts. + # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts + connection_retry_delay: -1 + # Whether or not the bridge should send a notice to the user's management room when it retries connecting. + # If false, it will only report when it stops retrying. + report_connection_retry: true + # Maximum number of seconds to wait for chats to be sent at startup. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + chat_list_wait: 30 + # Maximum number of seconds to wait to sync portals before force unlocking message processing. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + portal_sync_wait: 600 + + # Whether or not to send call start/end notices to Matrix. + call_notices: + start: true + end: true + + # Number of chats to sync for new users. + initial_chat_sync_count: 10 + # Number of old messages to fill when creating new portal rooms. + initial_history_fill_count: 20 + # Maximum number of chats to sync when recovering from downtime. + # Set to -1 to sync all new chats during downtime. + recovery_chat_sync_limit: -1 + # Whether or not to sync history when recovering from downtime. + recovery_history_backfill: true + # Maximum number of seconds since last message in chat to skip + # syncing the chat in any case. This setting will take priority + # over both recovery_chat_sync_limit and initial_chat_sync_count. + # Default is 3 days = 259200 seconds + sync_max_chat_age: 259200 + + # Whether or not to sync with custom puppets to receive EDUs that + # are not normally sent to appservices. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} + + # Whether or not to invite own WhatsApp user's Matrix puppet into private + # chat portals when backfilling if needed. + # This always uses the default puppet instead of custom puppets due to + # rate limits and timestamp massaging. + invite_own_puppet_for_backfilling: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This can be useful if the previous field works fine, + # but causes room avatar/name bugs. + private_chat_portal_meta: false + + # Allow invite permission for user. User can invite any bots to room with whatsapp + # users (private chat and groups) + allow_user_invite: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user + + relaybot: + # Whether or not relaybot support is enabled. + enabled: false + # The management room for the bot. This is where all status notifications are posted and + # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting + # the command prefix completely like in user management rooms is not possible. + management: '!foo:example.com' + # List of users to invite to all created rooms that include the relaybot. + invites: [] + # The formats to use when sending messages to WhatsApp via the relaybot. + message_formats: + m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" + m.notice: "{{ '{{ .Sender.Displayname }}' }}:: {{ '{{ .Message }}' }}" + m.emote: "* {{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" + m.file: "{{ '{{ .Sender.Displayname }}' }}: sent a file" + m.image: "{{ '{{ .Sender.Displayname }}' }}: sent an image" + m.audio: "{{ '{{ .Sender.Displayname }}' }}: sent an audio file" + m.video: "{{ '{{ .Sender.Displayname }}' }}: sent a video" + m.location: "{{ '{{ .Sender.Displayname }}' }}: sent a location" +# Logging config. +logging: + # The directory for log files. Will be created if not found. + directory: ./logs + # Available variables: .Date for the file date and .Index for different log files on the same day. + file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}" + # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants + file_date_format: "2006-01-02" + # Log file permissions. + file_mode: 0600 + # Timestamp format for log entries in the Go time format. + timestamp_format: "Jan _2, 2006 15:04:05" + # Minimum severity for log messages. + # Options: debug, info, warn, error, fatal + print_level: debug diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index d864c041..7dd25140 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsapp \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp -ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 9d80ab04..8b977acf 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -56,145 +56,7 @@ matrix_mx_puppet_skype_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mx_puppet_skype_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Address for the bridge to bind to; if running as a Docker container, you - # probably want 0.0.0.0 here - bindAddress: 0.0.0.0 - # Port to host the bridge on which your homeserver will connect to - port: {{ matrix_mx_puppet_skype_appservice_port }} - # Name of your homeserver - domain: {{ matrix_domain }} - # URL where the bridge can connect to your homeserver - homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} - # Optionally specify a different media URL used for the media store - mediaURL: https://{{ matrix_server_fqn_matrix }} - # This enabled automatic double-puppeting: - # A map for shared secrets of the homeserver URL to the shared secret - # See https://github.com/devture/matrix-synapse-shared-secret-auth - #loginSharedSecretMap: - # yourserver.com: supersecretsharedsecret - {% if matrix_mx_puppet_skype_login_shared_secret != '' %} - loginSharedSecretMap: - {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} - {% endif %} - # optionally override the display name of the bridge bot - #displayname: Protocol Bot - # optionally set the avatar of the bridge bot - #avatarUrl: mxc://yourserver.com/somefile - - logging: - # Log level of console output - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - console: info - # Optionally, you can apply filters to the console logging - #console: - # level: info - # enabled: - # - Store - # disabled: - # - PresenceHandler - - # Date and time formatting - lineDateFormat: MMM-D HH:mm:ss.SSS - # Logging files - # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m - # Optionally enable/disable logging for certain modules - #disabled: - # - PresenceHandler - # - module: bot-sdk-MatrixLiteClient - # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log - #enabled: - # - Store - - database: - # Use Postgres as a database backend - # If set, will be used instead of SQLite3 - # Connection string to connect to the Postgres instance - # with username "user", password "pass", host "localhost" and database name "dbname". - # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" - # Use SQLite3 as a database backend - # The name of the database file - filename: /data/database.db - - provisioning: - # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} - # Allow a specific user - #- "@user:server\\.com" - # Allow users on a specific homeserver - #- "@.*:yourserver\\.com" - # Allow anyone - #- ".*" - - # Regex of Matrix IDs forbidden from using the puppet bridge - #blacklist: - # Disallow a specific user - #- "@user:server\\.com" - # Disallow users on a specific homeserver - #- "@.*:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} - - presence: - # Bridge online/offline status - enabled: true - # How often to send status to the homeserver in milliseconds - interval: 500 - # if the im.vector.user_status state setting should be diabled - #disableStatusState: false - # A blacklist of remote user IDs for the im.vector.user_status state setting - #statusStateBlacklist: - # - baduser - - relay: - # Regex of Matrix IDs to allow to use the relay mode - # Same format as in provisioning - #whitelist: - #- "@.*:yourserver\\.com" - whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} - - #blacklist: - #- "@user:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} - - # Map certain homeserver URLs to the C-S API endpoint - # Useful for double-puppeting if .well-known is unavailable for some reason - #homeserverUrlMap: - # yourserver.com: http://localhost:1234 - - namePatterns: - # Override the protocols set default name patterns - # Which variables are available depends on protocol implementation - user: :name - room: :name - - limits: - # Up to how many users should be auto-joined on room creation? -1 to disable - # Defaults to 200 - maxAutojoinUsers: 200 - # How long the delay between two autojoin users should be, in millisectonds. - # Defaults to 5000 - roomUserAutojoinDelay: 5000 +matrix_mx_puppet_skype_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mx_puppet_skype_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 new file mode 100644 index 00000000..c7b5c870 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -0,0 +1,138 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Address for the bridge to bind to; if running as a Docker container, you + # probably want 0.0.0.0 here + bindAddress: 0.0.0.0 + # Port to host the bridge on which your homeserver will connect to + port: {{ matrix_mx_puppet_skype_appservice_port }} + # Name of your homeserver + domain: {{ matrix_domain }} + # URL where the bridge can connect to your homeserver + homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} + # Optionally specify a different media URL used for the media store + mediaURL: https://{{ matrix_server_fqn_matrix }} + # This enabled automatic double-puppeting: + # A map for shared secrets of the homeserver URL to the shared secret + # See https://github.com/devture/matrix-synapse-shared-secret-auth + #loginSharedSecretMap: + # yourserver.com: supersecretsharedsecret + {% if matrix_mx_puppet_skype_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {% endif %} + # optionally override the display name of the bridge bot + #displayname: Protocol Bot + # optionally set the avatar of the bridge bot + #avatarUrl: mxc://yourserver.com/somefile + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Optionally, you can apply filters to the console logging + #console: + # level: info + # enabled: + # - Store + # disabled: + # - PresenceHandler + + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + # Optionally enable/disable logging for certain modules + #disabled: + # - PresenceHandler + # - module: bot-sdk-MatrixLiteClient + # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log + #enabled: + # - Store + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} + +presence: + # Bridge online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + # if the im.vector.user_status state setting should be diabled + #disableStatusState: false + # A blacklist of remote user IDs for the im.vector.user_status state setting + #statusStateBlacklist: + # - baduser + +relay: + # Regex of Matrix IDs to allow to use the relay mode + # Same format as in provisioning + #whitelist: + #- "@.*:yourserver\\.com" + whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} + + #blacklist: + #- "@user:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} + +# Map certain homeserver URLs to the C-S API endpoint +# Useful for double-puppeting if .well-known is unavailable for some reason +#homeserverUrlMap: +# yourserver.com: http://localhost:1234 + +namePatterns: + # Override the protocols set default name patterns + # Which variables are available depends on protocol implementation + user: :name + room: :name + +limits: + # Up to how many users should be auto-joined on room creation? -1 to disable + # Defaults to 200 + maxAutojoinUsers: 200 + # How long the delay between two autojoin users should be, in millisectonds. + # Defaults to 5000 + roomUserAutojoinDelay: 5000 diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index cc55f324..a6860b69 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype -ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skype \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype -ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 7648fafe..13aa5b7a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -5,6 +5,11 @@ matrix_mx_puppet_slack_enabled: true matrix_mx_puppet_slack_container_image_self_build: false +# Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_slack_container_http_host_bind_port: '' + matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" @@ -52,99 +57,7 @@ matrix_mx_puppet_slack_homeserver_token: '' # # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mx_puppet_slack_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Port to host the bridge on - # Used for communication between the homeserver and the bridge - port: {{ matrix_mx_puppet_slack_appservice_port }} - # The host connections to the bridge's webserver are allowed from - bindAddress: 0.0.0.0 - # Public domain of the homeserver - domain: {{ matrix_mx_puppet_slack_homeserver_domain }} - # Reachable URL of the Matrix homeserver - homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} - - - # Slack OAuth settings. Create a slack app at https://api.slack.com/apps - oauth: - enabled: false - # Slack app credentials. - # N.B. This must be quoted so YAML wouldn't parse it as a float. - clientId: "{{ matrix_mx_puppet_slack_client_id }}" - clientSecret: {{ matrix_mx_puppet_slack_client_secret }} - # Path where to listen for OAuth redirect callbacks. - redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} - # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, - # then set this field and the Slack app redirect URI field to the former. - redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} - - presence: - # Bridge Discord online/offline status - enabled: true - # How often to send status to the homeserver in milliseconds - interval: 500 - - provisioning: - # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} - # Allow a specific user - #- "@user:server\\.com" - # Allow users on a specific homeserver - #- "@.*:yourserver\\.com" - # Allow anyone - #- ".*" - # Regex of Matrix IDs forbidden from using the puppet bridge - #blacklist: - # Disallow a specific user - #- "@user:server\\.com" - # Disallow users on a specific homeserver - #- "@.*:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} - - # Shared secret for the provisioning API for use by integration managers. - # If this is not set, the provisioning API will not be enabled. - #sharedSecret: random string - # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. - apiPrefix: /_matrix/provision - - database: - # Use Postgres as a database backend - # If set, will be used instead of SQLite3 - # Connection string to connect to the Postgres instance - # with username "user", password "pass", host "localhost" and database name "dbname". - # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" - # Use SQLite3 as a database backend - # The name of the database file - filename: /data/database.db - - logging: - # Log level of console output - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - console: info - # Date and time formatting - lineDateFormat: MMM-D HH:mm:ss.SSS - # Logging files - # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m +matrix_mx_puppet_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mx_puppet_slack_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 0b823b2c..dac04b9b 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -50,17 +50,17 @@ }} tags: - always - when: matrix_appservice_slack_enabled|bool + when: matrix_mx_puppet_slack_enabled|bool - name: Warn about reverse-proxying if matrix-nginx-proxy not used debug: msg: >- NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ something }}` - URL endpoint to the matrix-appservice-slack container. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 new file mode 100644 index 00000000..bcf4e2d1 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -0,0 +1,92 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_slack_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_slack_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + + +# Slack OAuth settings. Create a slack app at https://api.slack.com/apps +oauth: + enabled: true + # Slack app credentials. + # N.B. This must be quoted so YAML wouldn't parse it as a float. + clientId: "{{ matrix_mx_puppet_slack_client_id }}" + clientSecret: {{ matrix_mx_puppet_slack_client_secret }} + # Path where to listen for OAuth redirect callbacks. + redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} + # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, + # then set this field and the Slack app redirect URI field to the former. + redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} + +presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index a86c6765..3ce0e18b 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -11,17 +11,20 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack -ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_mx_puppet_slack_container_http_host_bind_port %} + -p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \ + {% endif %} -e CONFIG_PATH=/config/config.yaml \ -e REGISTRATION_PATH=/config/registration.yaml \ -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ @@ -31,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack -ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml new file mode 100644 index 00000000..4019f7be --- /dev/null +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -0,0 +1,147 @@ +# matrix-sms-bridge is a Matrix <-> SMS bridge +# See: https://github.com/benkuly/matrix-sms-bridge + +matrix_sms_bridge_enabled: true + +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:latest" +matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" +matrix_sms_bridge_database_docker_image: "neo4j:latest" +matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" + +matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" +matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" +matrix_sms_bridge_data_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data" +matrix_sms_bridge_data_log_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/log" +matrix_sms_bridge_data_spool_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool" +matrix_sms_bridge_data_spool_inbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox" +matrix_sms_bridge_data_spool_inbox_processed_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox_processed" +matrix_sms_bridge_data_spool_outbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/outbox" +matrix_sms_bridge_data_spool_sent_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/sent" +matrix_sms_bridge_data_spool_error_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/error" +matrix_sms_bridge_database_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/database" + +matrix_sms_bridge_appservice_token: '' +matrix_sms_bridge_homeserver_token: '' + +matrix_sms_bridge_database_username: 'neo4j' +matrix_sms_bridge_database_password: '' + +matrix_sms_bridge_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_sms_bridge_container_extra_arguments: [] + +# List of systemd services that service depends on. +matrix_sms_bridge_systemd_required_services_list: ['docker.service','matrix-sms-bridge-database.service'] +matrix_sms_bridge_database_systemd_required_services_list: ['docker.service'] + +# List of systemd services that service wants +matrix_sms_bridge_systemd_wanted_services_list: [] +matrix_sms_bridge_database_systemd_wanted_services_list: [] + +matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' +matrix_sms_bridge_database_url: 'bolt://matrix-sms-bridge-database:7687' +matrix_sms_bridge_homeserver_hostname: 'matrix-synapse' +matrix_sms_bridge_homeserver_port: '8008' + +matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" +matrix_sms_bridge_default_room: '' + +matrix_sms_bridge_gammu_modem: '' +matrix_sms_bridge_modem_group: 'dialout' +matrix_sms_bridge_gammu_reset_frequency: 0 + + +matrix_sms_bridge_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + + # Database connection + org: + neo4j: + driver: + uri: {{ matrix_sms_bridge_database_url }} + authentication: + username: {{ matrix_sms_bridge_database_username }} + password: {{ matrix_sms_bridge_database_password }} + + matrix: + bridge: + sms: + # (optional) SMS messages without a valid token a routed to this room. + # Note that you must invite @smsbot:yourHomeServer to this room. + defaultRoomId: "{{ matrix_sms_bridge_default_room }}" + provider: + gammu: + # (optional) default is disabled + enabled: true + # (optional) Path to the Gammu-Inbox directory. + inboxPath: /data/spool/inbox + # (optional) Path to the directory, where to put processed messages. + inboxProcessedPath: /data/spool/inbox_processed + bot: + # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org + serverName: {{ matrix_sms_bridge_homserver_domain }} + client: + homeServer: + # The hostname of your Homeserver. + hostname: {{ matrix_sms_bridge_homeserver_hostname }} + # (optional) The port of your Homeserver. Default is 443. + port: {{ matrix_sms_bridge_homeserver_port }} + # (optional) Use http or https. Default is true (so uses https). + secure: false + # The token to authenticate against the Homeserver. + token: {{ matrix_sms_bridge_appservice_token }} + appservice: + # A unique token for Homeservers to use to authenticate requests to this application service. + hsToken: {{ matrix_sms_bridge_homeserver_token }} + +matrix_sms_bridge_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_sms_bridge_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_sms_bridge_configuration_yaml`. + +matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_extension_yaml|from_yaml if matrix_sms_bridge_configuration_extension_yaml|from_yaml is mapping else {} }}" + +matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_yaml|combine(matrix_sms_bridge_configuration_extension, recursive=True) }}" + +matrix_sms_bridge_gammu_configuration: | + [gammu] + Device = {{ matrix_sms_bridge_gammu_modem }} + LogFile = /data/log/gammu.log + debugLevel = 1 + + [smsd] + Service = files + LoopSleep = 2 + InboxPath = /data/spool/inbox/ + OutboxPath = /data/spool/outbox/ + SentSMSPath = /data/spool/sent/ + ErrorSMSPath = /data/spool/error/ + InboxFormat = detail + OutboxFormat = detail + TransmitFormat = auto + ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} + debugLevel = 1 + LogFile = /data/log/smsd.log + DeliveryReport = no + HangupCalls = 1 + CheckBattery = 0 + + +matrix_sms_bridge_registration_yaml: | + id: sms + as_token: "{{ matrix_sms_bridge_appservice_token }}" + hs_token: "{{ matrix_sms_bridge_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@sms_.+:{{ matrix_sms_bridge_homserver_domain|regex_escape }}$' + url: {{ matrix_sms_bridge_appservice_url }} + sender_localpart: smsbot + rate_limited: false + +matrix_sms_bridge_registration: "{{ matrix_sms_bridge_registration_yaml|from_yaml }}" \ No newline at end of file diff --git a/roles/matrix-bridge-sms/tasks/init.yml b/roles/matrix-bridge-sms/tasks/init.yml new file mode 100644 index 00000000..7a49e4b2 --- /dev/null +++ b/roles/matrix-bridge-sms/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-sms-bridge role needs to execute before the matrix-synapse role. + when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge','matrix-sms-bridge-database'] }}" + when: matrix_sms_bridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_sms_bridge_config_path }}/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-sms-bridge-registration.yaml"] }} + when: matrix_sms_bridge_enabled|bool diff --git a/roles/matrix-bridge-sms/tasks/main.yml b/roles/matrix-bridge-sms/tasks/main.yml new file mode 100644 index 00000000..c1c499de --- /dev/null +++ b/roles/matrix-bridge-sms/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge diff --git a/roles/matrix-bridge-sms/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml new file mode 100644 index 00000000..47454b27 --- /dev/null +++ b/roles/matrix-bridge-sms/tasks/setup_install.yml @@ -0,0 +1,79 @@ +--- + +- name: Ensure matrix-sms-bridge image is pulled + docker_image: + name: "{{ matrix_sms_bridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sms_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_docker_image_force_pull }}" + +- name: Ensure matrix-sms-bridge databse image is pulled + docker_image: + name: "{{ matrix_sms_bridge_database_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sms_bridge_database_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_database_docker_image_force_pull }}" + + +- name: Ensure matrix-sms-bridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_sms_bridge_base_path }}" + - "{{ matrix_sms_bridge_config_path }}" + - "{{ matrix_sms_bridge_data_path }}" + - "{{ matrix_sms_bridge_data_log_path }}" + - "{{ matrix_sms_bridge_data_spool_path }}" + - "{{ matrix_sms_bridge_data_spool_inbox_path }}" + - "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" + - "{{ matrix_sms_bridge_data_spool_outbox_path }}" + - "{{ matrix_sms_bridge_data_spool_sent_path }}" + - "{{ matrix_sms_bridge_data_spool_error_path }}" + - "{{ matrix_sms_bridge_database_path }}" + +- name: Ensure matrix-sms-bridge application.yml installed + copy: + content: "{{ matrix_sms_bridge_configuration|to_nice_yaml }}" + dest: "{{ matrix_sms_bridge_config_path }}/application.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge registration.yaml installed + copy: + content: "{{ matrix_sms_bridge_registration|to_nice_yaml }}" + dest: "{{ matrix_sms_bridge_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge gammu-smsdrc installed + copy: + content: "{{ matrix_sms_bridge_gammu_configuration }}" + dest: "{{ matrix_sms_bridge_config_path }}/gammu-smsdrc" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sms-bridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + mode: 0644 + register: matrix_sms_bridge_systemd_service_result + +- name: Ensure matrix-sms-bridge-database.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sms-bridge-database.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + mode: 0644 + register: matrix_sms_bridge_database_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service installation + service: + daemon_reload: yes + when: matrix_sms_bridge_systemd_service_result.changed or matrix_sms_bridge_database_systemd_service_result.changed diff --git a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml new file mode 100644 index 00000000..87436687 --- /dev/null +++ b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml @@ -0,0 +1,42 @@ +--- + +- name: Check existence of matrix-sms-bridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + register: matrix_sms_bridge_service_stat + +- name: Check existence of matrix-sms-bridge-database service + stat: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + register: matrix_sms_bridge_database_service_stat + +- name: Ensure matrix-sms-bridge is stopped + service: + name: matrix-sms-bridge + state: stopped + daemon_reload: yes + when: "matrix_sms_bridge_service_stat.stat.exists" + +- name: Ensure matrix-sms-bridge-database is stopped + service: + name: matrix-sms-bridge-database + state: stopped + daemon_reload: yes + when: "matrix_sms_bridge_database_service_stat.stat.exists" + +- name: Ensure matrix-sms-bridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + state: absent + when: "matrix_sms_bridge_service_stat.stat.exists" + +- name: Ensure matrix-sms-bridge-database.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + state: absent + when: "matrix_sms_bridge_database_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service removal + service: + daemon_reload: yes + when: matrix_sms_bridge_service_stat.stat.exists or matrix_sms_bridge_database_service_stat.stat.exists diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml new file mode 100644 index 00000000..8eb7b63c --- /dev/null +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_sms_bridge_appservice_token" + - "matrix_sms_bridge_homeserver_token" + - "matrix_sms_bridge_database_password" + - "matrix_sms_bridge_gammu_modem" diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 new file mode 100644 index 00000000..e2cad164 --- /dev/null +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 @@ -0,0 +1,36 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sms-bridge-database server +{% for service in matrix_sms_bridge_database_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sms_bridge_database_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge-database +ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge-database + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge-database \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_sms_bridge_database_path }}:/data:z \ + -e NEO4J_AUTH={{ matrix_sms_bridge_database_username }}/{{ matrix_sms_bridge_database_password }} \ + {{ matrix_sms_bridge_database_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-sms-bridge-database +ExecStop=-/usr/bin/docker rm matrix-sms-bridge-database +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sms-bridge + + [Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 new file mode 100644 index 00000000..7bf91700 --- /dev/null +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sms-bridge server +{% for service in matrix_sms_bridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sms_bridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge +ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --group-add {{ matrix_sms_bridge_modem_group }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_sms_bridge_container_http_host_bind_port %} + -p {{ matrix_sms_bridge_container_http_host_bind_port }}:8080 \ + {% endif %} + -v {{ matrix_sms_bridge_config_path }}:/config:z \ + -v {{ matrix_sms_bridge_data_path }}:/data:z \ + -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ + --privileged \ + -v /dev:/dev:slave \ + {% for arg in matrix_sms_bridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sms_bridge_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-sms-bridge +ExecStop=-/usr/bin/docker rm matrix-sms-bridge +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sms-bridge + + [Install] +WantedBy=multi-user.target diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index ae4830ff..533ece0a 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-corporal -ExecStartPre=-/usr/bin/docker rm matrix-corporal +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal -ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -32,8 +32,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-/usr/bin/docker kill matrix-corporal -ExecStop=-/usr/bin/docker rm matrix-corporal +ExecStop=-{{ matrix_host_command_docker }} kill matrix-corporal +ExecStop=-{{ matrix_host_command_docker }} rm matrix-corporal Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 52db0e3e..272a36f2 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -99,7 +99,7 @@ hour: "4" minute: "20" day: "*/5" - job: /bin/systemctl reload matrix-coturn.service + job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 35198616..a6d19705 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-coturn -ExecStartPre=-/usr/bin/docker rm matrix-coturn +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn -ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -40,12 +40,12 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-/usr/bin/docker kill matrix-coturn -ExecStop=-/usr/bin/docker rm matrix-coturn +ExecStop=-{{ matrix_host_command_docker }} kill matrix-coturn +ExecStop=-{{ matrix_host_command_docker }} rm matrix-coturn # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 -ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1 +ExecReload={{ matrix_host_command_docker }} exec matrix-coturn kill -USR2 1 Restart=always RestartSec=30 diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fafe289d..770f5bcb 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -39,89 +39,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" # # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_dimension_configuration_yaml: | - #jinja2: lstrip_blocks: True - # The web settings for the service (API and UI). - # It is best to have this run on localhost and use a reverse proxy to access Dimension. - web: - port: 8184 - address: '0.0.0.0' - - # Homeserver configuration - homeserver: - # The domain name of the homeserver. This is used in many places, such as with go-neb - # setups, to identify the homeserver. - name: "{{ matrix_domain }}" - - # The URL that Dimension, go-neb, and other services provisioned by Dimension should - # use to access the homeserver with. - clientServerUrl: "http://matrix-synapse:8008" - - # The URL that Dimension should use when trying to communicate with federated APIs on - # the homeserver. If not supplied or left empty Dimension will try to resolve the address - # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" - - # The URL that Dimension will redirect media requests to for downloading media such as - # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" - - # The access token Dimension should use for miscellaneous access to the homeserver. This - # should be for a user on the configured homeserver: any user will do, however it is - # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on - # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" - - # These users can modify the integrations this Dimension supports. - # To access the admin interface, open Dimension in Riot and click the settings icon. - admins: {{ matrix_dimension_admins|to_json }} - - # IPs and CIDR ranges listed here will be blocked from being widgets. - # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. - widgetBlacklist: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 127.0.0.0/8 - - # Where the database for Dimension is - database: - file: "dimension.db" - - # Display settings that apply to self-hosted go-neb instances - goneb: - # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver - # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, - # make the bot's avatar an empty string. - avatars: - giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" - imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" - github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" - wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" - travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" - rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" - google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" - guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" - echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" - circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" - jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" - - # Settings for how Dimension is represented to the public - dimension: - # This is where Dimension is accessible from clients. Be sure to set this - # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" - - # Settings for controlling how logging works - logging: - file: /dev/null - console: true - consoleLevel: verbose - fileLevel: info - rotate: - size: 52428800 # bytes, default is 50mb - count: 5 - +matrix_dimension_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_dimension_configuration_extension_yaml: | # Your custom YAML configuration for Dimension goes here. diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 new file mode 100644 index 00000000..576c4e8a --- /dev/null +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -0,0 +1,81 @@ +#jinja2: lstrip_blocks: True +# The web settings for the service (API and UI). +# It is best to have this run on localhost and use a reverse proxy to access Dimension. +web: + port: 8184 + address: '0.0.0.0' + +# Homeserver configuration +homeserver: + # The domain name of the homeserver. This is used in many places, such as with go-neb + # setups, to identify the homeserver. + name: "{{ matrix_domain }}" + + # The URL that Dimension, go-neb, and other services provisioned by Dimension should + # use to access the homeserver with. + clientServerUrl: "http://matrix-synapse:8008" + + # The URL that Dimension should use when trying to communicate with federated APIs on + # the homeserver. If not supplied or left empty Dimension will try to resolve the address + # through the normal federation process. + federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + + # The URL that Dimension will redirect media requests to for downloading media such as + # stickers. If not supplied or left empty Dimension will use the clientServerUrl. + mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + + # The access token Dimension should use for miscellaneous access to the homeserver. This + # should be for a user on the configured homeserver: any user will do, however it is + # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on + # how to acquire an access token, visit https://t2bot.io/docs/access_tokens + accessToken: "{{ matrix_dimension_access_token }}" + +# These users can modify the integrations this Dimension supports. +# To access the admin interface, open Dimension in Riot and click the settings icon. +admins: {{ matrix_dimension_admins|to_json }} + +# IPs and CIDR ranges listed here will be blocked from being widgets. +# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. +widgetBlacklist: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 127.0.0.0/8 + +# Where the database for Dimension is +database: + file: "dimension.db" + +# Display settings that apply to self-hosted go-neb instances +goneb: + # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver + # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, + # make the bot's avatar an empty string. + avatars: + giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" + imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" + github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" + wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" + travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" + rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" + google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" + guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" + echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" + circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" + jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" + +# Settings for how Dimension is represented to the public +dimension: + # This is where Dimension is accessible from clients. Be sure to set this + # to your own Dimension instance. + publicUrl: "https://{{ matrix_server_fqn_dimension }}" + +# Settings for controlling how logging works +logging: + file: /dev/null + console: true + consoleLevel: verbose + fileLevel: info + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 0a8d0c83..db9d58a8 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -6,13 +6,13 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-dimension -ExecStartPre=-/usr/bin/docker rm matrix-dimension +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension # Fixup database ownership if it got changed somehow (during a server migration, etc.) -ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db +ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db -ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ @@ -29,8 +29,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-dimension -ExecStop=-/usr/bin/docker rm matrix-dimension +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dimension +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dimension Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index eb7e125b..52806f35 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-email2matrix -ExecStartPre=-/usr/bin/docker rm matrix-email2matrix +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix -ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-email2matrix -ExecStop=-/usr/bin/docker rm matrix-email2matrix +ExecStop=-{{ matrix_host_command_docker }} kill matrix-email2matrix +ExecStop=-{{ matrix_host_command_docker }} rm matrix-email2matrix Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fc428b96..21dae448 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4416" +matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -96,11 +96,12 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" +matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] @@ -109,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -126,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 4159362d..66299f64 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -14,6 +14,7 @@ with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-prosody Docker image is pulled diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 53f08688..3512b3af 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jicofo -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jicofo +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ @@ -21,8 +21,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-jicofo -ExecStop=-/usr/bin/docker rm matrix-jitsi-jicofo +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 5df5807a..a189df9c 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jvb -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_jvb_base_path }}/env \ @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-jvb -ExecStop=-/usr/bin/docker rm matrix-jitsi-jvb +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index bf43021d..30801d77 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -8,21 +8,22 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-prosody -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-prosody +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ -v {{ matrix_jitsi_prosody_config_path }}:/config \ + -v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \ {% for arg in matrix_jitsi_prosody_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-prosody -ExecStop=-/usr/bin/docker rm matrix-jitsi-prosody +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index deed5025..1f8a890b 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-web -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-web +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_web_base_path }}/env \ @@ -25,8 +25,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-web -ExecStop=-/usr/bin/docker rm matrix-jitsi-web +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-web +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-web Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 144f4932..64cf7c9a 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -76,79 +76,16 @@ matrix_ma1sd_self_check_validate_certificates: true # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity matrix_ma1sd_verbose_logging: false +# Setting up support for API prefixes +matrix_ma1sd_v1_enabled: true +matrix_ma1sd_v2_enabled: true + # Default ma1sd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # # For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_ma1sd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/ma1sd/sign.key - - storage: - provider: - sqlite: - database: /var/ma1sd/ma1sd.db - - {% if matrix_ma1sd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_ma1sd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} - invite: '/var/ma1sd/invite-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/ma1sd/validate-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/ma1sd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/ma1sd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_ma1sd_synapsesql_enabled }} - type: {{ matrix_ma1sd_synapsesql_type }} - connection: {{ matrix_ma1sd_synapsesql_connection }} +matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}" matrix_ma1sd_configuration_extension_yaml: | # Your custom YAML configuration for ma1sd goes here. diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 new file mode 100644 index 00000000..0deef3d8 --- /dev/null +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -0,0 +1,69 @@ +#jinja2: lstrip_blocks: True +matrix: + domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} + +server: + name: {{ matrix_server_fqn_matrix }} + +key: + path: /var/ma1sd/sign.key + +storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + +{% if matrix_ma1sd_dns_overwrite_enabled %} +dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} +{% endif %} + +{% if matrix_ma1sd_matrixorg_forwarding_enabled %} +forward: + servers: ['matrix-org'] +{% endif %} + +threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} +{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} +{% endif %} + +synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index b316fc2b..80370088 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -11,12 +11,12 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-ma1sd -ExecStartPre=-/usr/bin/docker rm matrix-ma1sd +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -36,8 +36,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-ma1sd -ExecStop=-/usr/bin/docker rm matrix-ma1sd +ExecStop=-{{ matrix_host_command_docker }} kill matrix-ma1sd +ExecStop=-{{ matrix_host_command_docker }} rm matrix-ma1sd Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 8364ee2c..0a8fd13c 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -2,7 +2,12 @@ matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" -matrix_mailer_docker_image: "devture/exim-relay:4.92.2-r0-0" +matrix_mailer_container_image_self_build: false +matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay" +matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" +matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" + +matrix_mailer_docker_image: "devture/exim-relay:4.93.1-r0" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 6104edfe..99370638 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -6,12 +6,15 @@ - name: Ensure mailer base path exists file: - path: "{{ matrix_mailer_base_path }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_mailer_enabled|bool + with_items: + - { path: "{{ matrix_mailer_base_path }}", when: true } + - { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" } + when: "matrix_mailer_enabled|bool and item.when" - name: Ensure mailer environment variables file created template: @@ -20,13 +23,31 @@ mode: 0640 when: matrix_mailer_enabled|bool -- name: Ensure mailer image is pulled +- name: Ensure exim-relay repository is present on self-build + git: + repo: "{{ matrix_mailer_container_image_self_build_repository_url }}" + dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + version: "{{ matrix_mailer_container_image_self_build_version }}" + force: "yes" + when: "matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay Docker image is built + docker_image: + name: "{{ matrix_mailer_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + pull: yes + when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay image is pulled docker_image: name: "{{ matrix_mailer_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" - when: matrix_mailer_enabled|bool + when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool" - name: Ensure matrix-mailer.service installed template: diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index cf54a8e9..1371a861 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mailer -ExecStartPre=-/usr/bin/docker rm matrix-mailer +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer -ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --cap-drop=ALL \ @@ -24,8 +24,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mailer -ExecStop=-/usr/bin/docker rm matrix-mailer +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mailer +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mailer Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f329f1a..ae54ea4e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.19.0-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.5.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index e6542545..08dc6e58 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -84,7 +84,7 @@ hour: "5" minute: "20" day: "*" - job: /bin/systemctl reload matrix-nginx-proxy.service + job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service" when: matrix_nginx_proxy_enabled|bool when: "matrix_ssl_retrieval_method == 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 19500b15..e80b655d 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -16,7 +16,7 @@ # We suppress the error, as we'll try another method below. - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) shell: >- - /usr/bin/docker run + {{ matrix_host_command_docker }} run --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} @@ -43,7 +43,7 @@ # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) shell: >- - /usr/bin/docker run + {{ matrix_host_command_docker }} run --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 99662515..8fd87958 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -150,7 +150,7 @@ } {% endif %} - location /_synapse/admin { + location /_synapse { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 5b4dfb2a..7a385a64 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -11,10 +11,10 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy -ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy -ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -43,9 +43,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-nginx-proxy -ExecStop=-/usr/bin/docker rm matrix-nginx-proxy -ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload +ExecStop=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy +ExecStop=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy +ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 SyslogIdentifier=matrix-nginx-proxy diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4089793a..e26c43e7 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,10 +8,10 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine" -matrix_postgres_docker_image_v10: "postgres:10.12-alpine" -matrix_postgres_docker_image_v11: "postgres:11.7-alpine" -matrix_postgres_docker_image_v12: "postgres:12.2-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine" +matrix_postgres_docker_image_v10: "postgres:10.13-alpine" +matrix_postgres_docker_image_v11: "postgres:11.8-alpine" +matrix_postgres_docker_image_v12: "postgres:12.3-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" # This variable is assigned at runtime. Overriding its value has no effect. diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index ba237d6a..e58711f1 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -63,7 +63,7 @@ - name: Generate Postgres database import command set_fact: matrix_postgres_import_command: >- - /usr/bin/docker run --rm --name matrix-postgres-import + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index eab4e892..850ee370 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,7 +79,7 @@ --network={{ matrix_docker_network }} --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data - -v {{ matrix_synapse_run_path }}:/matrix-run + -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 41484d79..d7f283be 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -66,7 +66,7 @@ - name: Generate Postgres database synapse-janitor command set_fact: matrix_postgres_synapse_janitor_command: >- - /usr/bin/docker run --rm --name matrix-postgres-synapse-janitor + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-janitor --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/run_vacuum.yml b/roles/matrix-postgres/tasks/run_vacuum.yml index 3c3292ff..19a27562 100644 --- a/roles/matrix-postgres/tasks/run_vacuum.yml +++ b/roles/matrix-postgres/tasks/run_vacuum.yml @@ -45,7 +45,7 @@ - name: Generate Postgres database vacuum command set_fact: matrix_postgres_vacuum_command: >- - /usr/bin/docker run --rm --name matrix-postgres-synapse-vacuum + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 8a3886b3..73263695 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -79,7 +79,7 @@ # we need to remove these from the dump, or we'll get errors saying these already exist. - name: Perform Postgres database dump command: >- - /usr/bin/docker run --rm --name matrix-postgres-dump + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql @@ -123,7 +123,7 @@ - name: Generate Postgres database import command set_fact: matrix_postgres_import_command: >- - /usr/bin/docker run --rm --name matrix-postgres-import + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 4a197003..8e6392c1 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker stop matrix-postgres -ExecStartPre=-/usr/bin/docker rm matrix-postgres +ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres -ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -28,8 +28,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ {% endfor %} {{ matrix_postgres_docker_image_to_use }} -ExecStop=-/usr/bin/docker stop matrix-postgres -ExecStop=-/usr/bin/docker rm matrix-postgres +ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStop=-{{ matrix_host_command_docker }} rm matrix-postgres Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 71255e24..700e0ec3 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.4" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 51c61f47..a15cb55e 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-riot-web -ExecStartPre=-/usr/bin/docker rm matrix-riot-web +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-riot-web +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-riot-web -ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-riot-web \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ - -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \ {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/app/home.html:ro \ {% endif %} @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% endfor %} {{ matrix_riot_web_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-riot-web -ExecStop=-/usr/bin/docker rm matrix-riot-web +ExecStop=-{{ matrix_host_command_docker }} kill matrix-riot-web +ExecStop=-{{ matrix_host_command_docker }} rm matrix-riot-web Restart=always RestartSec=30 SyslogIdentifier=matrix-riot-web diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8597c751..6d09add5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,13 +5,12 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.14.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" @@ -203,12 +202,12 @@ matrix_synapse_password_config_localdb_enabled: true # Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" -# Controls cache sizes for Synapse via the SYNAPSE_CACHE_FACTOR environment variable. +# Controls cache sizes for Synapse. # Raise this to increase cache sizes or lower it to potentially lower memory use. # To learn more, see: # - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram # - https://github.com/matrix-org/synapse/issues/3939 -matrix_synapse_cache_factor: 0.5 +matrix_synapse_caches_global_factor: 0.5 # Controls whether Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. @@ -300,7 +299,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider @@ -358,7 +357,7 @@ matrix_synapse_default_room_version: "5" # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. # If not, you can also control its value manually. -matrix_synapse_spam_checker: ~ +matrix_synapse_spam_checker: [] matrix_synapse_trusted_key_servers: - server_name: "matrix.org" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 69e55a39..2599e7f1 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -38,10 +38,15 @@ become_user: "{{ matrix_user_username }}" - set_fact: - matrix_synapse_spam_checker: - module: "synapse_simple_antispam.AntiSpamInvites" - config: - blocked_homeservers: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }}" + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "synapse_simple_antispam.AntiSpamInvites", + "config": { + "blocked_homeservers": {{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }} + } + }] matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index fd4b338c..2a716d6b 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -11,7 +11,7 @@ - name: Fail if Matrix Federation API not working fail: - msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" - name: Fail if Matrix Federation API unexpectedly enabled diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 4fb41b1a..1ae7ade6 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -9,7 +9,6 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - - { path: "{{ matrix_synapse_run_path }}", when: true } - { path: "{{ matrix_synapse_ext_path }}", when: true } - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 1e86bd49..78136785 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -36,7 +36,7 @@ when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash - shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" register: password_hash - name: Update user password hash diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f3a4a869..01368cc8 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -31,3 +31,4 @@ - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': ''} - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': ''} - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} + - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index d2cc0b87..d9d752c2 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill %n -ExecStartPre=-/usr/bin/docker rm %n +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n -ExecStart=/usr/bin/docker run --rm --name %n \ +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v /etc/passwd:/etc/passwd:ro \ @@ -25,10 +25,10 @@ ExecStart=/usr/bin/docker run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-/usr/bin/docker stop %n -ExecStop=-/usr/bin/docker kill %n -ExecStop=-/usr/bin/docker rm %n -ExecStop=-/bin/fusermount -u {{ matrix_synapse_media_store_path }} +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_synapse_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4479d8fc..15b06c87 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}" # pid_file: /homeserver.pid -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. # -#web_client_location: "/path/to/web/root" +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would @@ -252,6 +257,19 @@ listeners: {% endif %} +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError @@ -302,22 +320,27 @@ listeners: # Used by phonehome stats to group together related servers. #server_context: context -# Resource-constrained homeserver Settings +# Resource-constrained homeserver settings # -# If limit_remote_rooms.enabled is True, the room complexity will be -# checked before a user joins a new remote room. If it is above -# limit_remote_rooms.complexity, it will disallow joining or -# instantly leave. +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. # -# limit_remote_rooms.complexity_error can be set to customise the text -# displayed to the user when a room above the complexity threshold has -# its join cancelled. +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. # -# Uncomment the below lines to enable: -#limit_remote_rooms: -# enabled: True -# complexity: 1.0 -# complexity_error: "This room is too complex." +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." # Whether to require a user to be in the room to add an alias to it. # Defaults to 'true'. @@ -410,6 +433,16 @@ retention: # longest_max_lifetime: 1y # interval: 1d +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + ## TLS ## @@ -577,6 +610,50 @@ acme: +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + ## Database ## database: @@ -590,10 +667,6 @@ database: cp_min: 5 cp_max: 10 -# Number of events to cache in memory. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - ## Logging ## @@ -706,20 +779,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # #media_storage_providers: # - module: file_system -# # Whether to write new local files. +# # Whether to store newly uploaded local files # store_local: false -# # Whether to write new remote media +# # Whether to store newly downloaded remote files # store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete +# # Whether to wait for successful storage for local uploads # store_synchronous: false # config: # directory: /mnt/some/other/directory -# Directory where in-progress uploads are stored. -# -uploads_path: "/matrix-run/uploads" - # The largest allowed upload size in bytes # max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" @@ -834,31 +902,55 @@ url_preview_ip_range_blacklist: # max_spider_size: 10M +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + ## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. +# See docs/CAPTCHA_SETUP.md for full details of configuring this. -# This homeserver's ReCAPTCHA public key. +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_public_key: "YOUR_PUBLIC_KEY" -# This homeserver's ReCAPTCHA private key. +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_private_key: "YOUR_PRIVATE_KEY" -# Enables ReCaptcha checks when registering, preventing signup +# Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -# -#enable_registration_captcha: false - -# A secret key used to bypass the captcha test entirely. +# public/private key. Defaults to 'false'. # -#captcha_bypass_secret: "YOUR_SECRET_HERE" +#enable_registration_captcha: true # The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". # -#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +#recaptcha_siteverify_api: "https://my.recaptcha.site" ## TURN ## @@ -1066,6 +1158,29 @@ account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + # Users who register on this homeserver will automatically be joined # to these rooms # @@ -1108,13 +1223,14 @@ sentry: # enabled by default, either for performance reasons or limited use. # metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of + # Publish synapse_federation_known_servers, a gauge of the number of # servers this homeserver knows about, including itself. May cause # performance problems on large homeservers. # #known_servers: true # Whether or not to report anonymized homeserver usage statistics. +# report_stats: {{ matrix_synapse_report_stats|to_json }} # The endpoint to report the anonymized homeserver usage statistics to. @@ -1272,32 +1388,32 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: @@ -1381,6 +1497,94 @@ saml2_config: #template_dir: "res/templates" +# Enable OpenID Connect for registration and login. Uses authlib. +# +oidc_config: + # enable OpenID Connect. Defaults to false. + # + #enabled: true + + # use the OIDC discovery mechanism to discover endpoints. Defaults to true. + # + #discover: true + + # the OIDC issuer. Used to validate tokens and discover the providers endpoints. Required. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. Required. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. Required. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are "client_secret_basic" (default), "client_secret_post" and "none". + # + #client_auth_method: "client_secret_basic" + + # list of scopes to ask. This should include the "openid" scope. Defaults to ["openid"]. + # + #scopes: ["openid"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not asked. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # skip metadata verification. Defaults to false. + # Use this if you are connecting to a provider that is not OpenID Connect compliant. + # Avoid this in production. + # + #skip_verification: false + + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + #module: mapping_provider.OidcMappingProvider + + # Custom configuration values for the module. Below options are intended + # for the built-in provider, they should be changed if using a custom + # module. This section will be passed as a Python dictionary to the + # module's `parse_config` method. + # + # Below is the config of the default mapping provider, based on Jinja2 + # templates. Those templates are used to render user attributes, where the + # userinfo object is available through the `user` variable. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + + # Jinja2 template for the display name to set on first login. Optional. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + + # Enable CAS for registration and login. # @@ -1388,10 +1592,96 @@ saml2_config: # enabled: true # server_url: "https://cas-server.com" # service_url: "https://homeserver.domain.com:8448" +# #displayname_attribute: name # #required_attributes: # # name: value +# Additional settings to use with single-sign on systems such as SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # The JWT needs to contain a globally unique "sub" (subject) claim. # #jwt_config: @@ -1434,8 +1724,8 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. # - # smtp_user: "exampleusername" - # smtp_pass: "examplepassword" + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to @@ -1532,8 +1822,19 @@ email: #template_dir: "res/templates" {% endif %} - -#password_providers: +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider # - module: "ldap_auth_provider.LdapAuthProvider" # config: # enabled: true @@ -1603,10 +1904,17 @@ push: include_content: {{ matrix_synapse_push_include_content|to_json }} -#spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Uncomment to allow non-server-admin users to create groups on this server diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0bd2c25d..47786eee 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -11,16 +11,16 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-synapse -ExecStartPre=-/usr/bin/docker rm matrix-synapse +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse {% if matrix_s3_media_store_enabled %} # Allow for some time before starting, so that media store can mount. # Mounting can happen later too, but if we start writing, # we'd write files to the local filesystem and fusermount will complain. -ExecStartPre=/bin/sleep 3 +ExecStartPre={{ matrix_host_command_sleep }} 3 {% endif %} -ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -28,7 +28,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ - -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ {% if matrix_synapse_container_client_api_host_bind_port %} -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} @@ -45,7 +44,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ - -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ @@ -56,9 +54,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-/usr/bin/docker kill matrix-synapse -ExecStop=-/usr/bin/docker rm matrix-synapse -ExecReload=/usr/bin/docker exec matrix-synapse kill -HUP 1 +ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse +ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse +ExecReload={{ matrix_host_command_docker }} exec matrix-synapse kill -HUP 1 Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index bb0a06f2..b53dceb8 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -3,7 +3,7 @@ matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" -matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:8448/_matrix/federation/v1/version" +matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" # Tells whether this role had executed or not. Toggled to `true` during runtime. matrix_synapse_role_executed: false diff --git a/setup.yml b/setup.yml index ff80320a..4831873e 100755 --- a/setup.yml +++ b/setup.yml @@ -18,6 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack + - matrix-bridge-sms - matrix-synapse - matrix-riot-web - matrix-jitsi