diff --git a/CHANGELOG.md b/CHANGELOG.md index 43af8dd1..e9f23468 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,80 @@ +# 2022-01-07 + +## Dendrite support + +**TLDR**: We now have optional experimental [Dendrite](https://github.com/matrix-org/dendrite) homeserver support for new installations. **Existing (Synapse) installations need to be updated**, because some internals changed. See [Adapting the configuration for existing Synapse installations](#adapting-the-configuration-for-existing-synapse-installations). + +[Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. + +We believe that 2022 will be the year of the non-Synapse Matrix server! + +The playbook was previously quite [Synapse](https://github.com/matrix-org/synapse)-centric, but can now accommodate multiple homeserver implementations. Only one homeserver implementation can be active (installed) at a given time. + +**Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). + +### Adapting the configuration for existing Synapse installations + +Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. + +The `vars.yml` file for **existing installations will need to be updated** by adding this **additional configuration**: + +```yaml +# All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. +# To keep them all the same, define `matrix_homeserver_generic_secret_key` in terms of `matrix_synapse_macaroon_secret_key`. +# Using a new secret value for this configuration key is also possible and should not cause any problems. +# +# Fun fact: new installations (based on the new `examples/vars.yml` file) do this in reverse. +# That is, the Synapse macaroon secret is derived from `matrix_homeserver_generic_secret_key`. +matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" +``` + +### Trying out Dendrite + +Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + +**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse to Dendrite) without data loss. + +We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! + + +## Honoroit bot support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. + +See our [Setting up Honoroit](docs/configuring-playbook-bot-honoroit.md) documentation to get started. + + +# 2022-01-06 + +## Cinny support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [Cinny](https://cinny.in/) - a new simple, elegant and secure Matrix client. + +By default, we still install Element. Still, people who'd like to try Cinny out can now install it via the playbook. + +Additional details are available in [Setting up Cinny](docs/configuring-playbook-client-cinny.md). + + +# 2021-12-22 + +## Twitter bridging support via mautrix-twitter + +Thanks to [Matthew Cengia](https://github.com/mattcen) and [Shreyas Ajjarapu](https://github.com/shreyasajj), besides [mx-puppet-twitter](docs/configuring-playbook-bridge-mx-puppet-twitter.md), bridging to [Twitter](https://twitter.com/) can now also happen with [mautrix-twitter](docs/configuring-playbook-bridge-mautrix-twitter.md). + + +# 2021-12-14 + +## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability + +Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable. + +One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md). + + # 2021-11-11 ## Dropped support for Postgres v9.6 diff --git a/README.md b/README.md index 6e1b5c14..af02a3b0 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network +- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. + - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. @@ -51,6 +53,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) +- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/) + - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) - (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) @@ -97,6 +101,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation + - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation @@ -111,6 +117,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 00000000..9d365441 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: community.general + - name: community.docker diff --git a/docs/ansible.md b/docs/ansible.md index 50251540..50cf83ed 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -51,7 +51,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.10.7-r0 +docker.io/devture/ansible:2.11.6-r1 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f455f058..c33664c2 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -4,7 +4,7 @@ An AWX setup for managing multiple Matrix servers. This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. -Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. These playbooks are free to use in a commercial context with the 'MemberPress Plus' plugin. They can also be run in a non-commercial context. The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. @@ -21,12 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. - -## Testing Fork For This Playbook - -Updates to this section are trailed here: - -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) +[GMHosting External Tools](https://gitlab.com/GoMatrixHosting/gmhosting-external-tools) - Extra tools we run outside of AWX, some of which are experimental. ## Does I need an AWX setup to use this? How do I configure it? @@ -38,7 +33,6 @@ For simpler installation steps you can use to get started with this system, chec ## Does I need a front-end WordPress site? And a DigitalOcean account? -You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. - -You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. +You do not need a front-end WordPress site or the MemberPress plugin to use this setup. It can be run on it's own in a non-commercial context. +You also don't need a DigitalOcean account, although this will limit you to only being able to connect 'On-Premises' servers. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index af2badca..4416c3bc 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -37,6 +37,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `goneb` | - | - | - | `matrix.` | | CNAME | `sygnal` | - | - | - | `matrix.` | | CNAME | `hydrogen` | - | - | - | `matrix.` | +| CNAME | `cinny` | - | - | - | `matrix.` | ## Subdomains setup @@ -57,6 +58,7 @@ The `sygnal.` subdomain may be necessary, because this playbook cou The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. +The `cinny.` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.` DNS record. ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index ab84e017..33ce4dd3 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -198,8 +198,8 @@ matrix_bot_go_neb_services: # Each room will get the notification with the alert rendered with the given template rooms: "!someroomid:domain.tld": - text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" - html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" + text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" + html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" msg_type: "m.text" # Must be either `m.text` or `m.notice` ``` diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md new file mode 100644 index 00000000..45fc033d --- /dev/null +++ b/docs/configuring-playbook-bot-honoroit.md @@ -0,0 +1,55 @@ +# Setting up Honoroit (optional) + +The playbook can install and configure [Honoroit](https://gitlab.com/etke.cc/honoroit) for you. + +It's a bot you can use to setup **your own helpdesk on matrix** + +See the project's [documentation](https://gitlab.com/etke.cc/honoroit#how-it-looks-like) to learn what it does with screenshots and why it might be useful to you. + + +## Registering the bot user + +By default, the playbook will set up the bot with a username like this: `@honoroit:DOMAIN`. + +(to use a different username, adjust the `matrix_bot_honoroit_login` variable). + +You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=honoroit password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_bot_honoroit_enabled: true + +# Adjust this to whatever password you chose when registering the bot user +matrix_bot_honoroit_password: PASSWORD_FOR_THE_BOT + +# Adjust this to your room ID +matrix_bot_honoroit_roomid: "!yourRoomID:DOMAIN" +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite the `@honoroit:DOMAIN` to the room you specified in config, after that any matrix user can send a message to the `@honoroit:DOMAIN` to start a new thread in that room. + +Send `!ho help` to the room to see the bot's help menu for additional commands. + +You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/honoroit#features). diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md new file mode 100644 index 00000000..3d5b49cf --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -0,0 +1,35 @@ +# Setting up Mautrix Twitter (optional) + +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. + +The playbook can install and configure [mautrix-twitter](https://github.com/mautrix/twitter) for you. + +See the project's [documentation](https://github.com/mautrix/twitter) to learn what it does and why it might be useful to you. + +```yaml +matrix_mautrix_twitter_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/mautrix/twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` + +## Usage + +1. You then need to start a chat with `@twitterbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +2. Send login-cookie to start the login. The bot should respond with instructions on how to proceed. + +You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/configuring-playbook-bridge-mx-puppet-twitter.md b/docs/configuring-playbook-bridge-mx-puppet-twitter.md index dd2c9c12..cd3dd39c 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-twitter.md +++ b/docs/configuring-playbook-bridge-mx-puppet-twitter.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Twitter (optional) +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mautrix-twitter](configuring-playbook-bridge-mautrix-twitter.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) for you. diff --git a/docs/configuring-playbook-client-cinny.md b/docs/configuring-playbook-client-cinny.md new file mode 100644 index 00000000..73a8bbee --- /dev/null +++ b/docs/configuring-playbook-client-cinny.md @@ -0,0 +1,21 @@ +# Configuring Cinny (optional) + +This playbook can install the [cinny](https://github.com/ajbura/cinny) Matrix web client for you. +cinny is a web client focusing primarily on simple, elegant and secure interface. +cinny can be installed alongside or instead of Element. + +If you'd like cinny to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_cinny_enabled: true +``` + +You will also need to add a DNS record so that cinny can be accessed. +By default cinny will use https://cinny.DOMAIN so you will need to create an CNAME record +for `cinny`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_cinny: "app.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 69ed7aa7..b938a6a3 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -58,7 +58,7 @@ curl -X POST --header 'Content-Type: application/json' -d '{ "type": "m.login.password" }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -*Change the "YourDimensionUser/Pass" URL accordigly* +*Change `YourDimensionUsername`, `YourDimensionPassword`, and `YOURDOMAIN` accordingly.* **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index e5533e71..4c38bb3c 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -25,6 +25,23 @@ The Dimension administrator users can configure the default URL template. The Di If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` +### Etherpad Admin access (optional) + +Etherpad comes with a admin web-UI which is disabled by default. You can enable it by setting a username and password in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_etherpad_admin_username: admin +matrix_etherpad_admin_password: some-password +``` + +The admin web-UI should then be available on: `https://dimension./etherpad/admin` + +### Managing / Deleting old pads + +If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. + +Then from the plugin manager page (`https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. + ## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f4e4c9f3..f7e8a949 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes]( If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. -Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsi-moderator" + password: "secret-password" + - username: "another-user" + password: "another-password" ``` +**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. + +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). + + ### (Optional) LDAP authentication The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: @@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with internal authentication: register new users - -Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. -Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: - -```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi -``` - -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. - -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). - ## Usage diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6a33ffbe..c7e56f14 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -64,7 +64,7 @@ Once you've followed the [Preparation](#preparation) guide above, you can take a ### Using your own external caddy webserver -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration. +After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively. ### Using your own HAproxy reverse proxy After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files. @@ -111,6 +111,9 @@ matrix_coturn_enabled: false # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. @@ -136,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' + # Disable Coturn because it needs SSL certs # (Clients can, though exposing IP address, use Matrix.org TURN) matrix_coturn_enabled: false diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 243440dd..31168d23 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -69,6 +69,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) +- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) ### Authentication and user-related @@ -102,6 +103,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) +- [Setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md) (optional) + - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) @@ -139,6 +142,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) +- [Setting up honoroit](configuring-playbook-bot-honoroit.md) - a helpdesk bot (optional) + - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional) - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 6fbb9205..cf680d21 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -30,6 +30,8 @@ These services are enabled and used by default, but you can turn them off, if yo These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): +- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional) + - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) - the [Etherpad](https://etherpad.org) realtime collaborative text editor that can be used in a Jitsi audio/video call or integrated as a widget into Matrix chat rooms via the Dimension integration manager (optional) @@ -46,6 +48,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) +- [mautrix/twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/mautrix/twitter) bridge to [Twitter](https://twitter.com/) (optional) + - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) - [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) @@ -90,6 +94,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [etke.cc/honoroit](https://gitlab.com/etke.cc/honoroit/container_registry) - the [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot (optional) + - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 925ed14d..c5a8d828 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -12,7 +12,8 @@ If your database name differs, be sure to change `matrix_synapse_database_databa The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). -Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +But the migration might be a good moment, to "reset" a not properly working bridge. Be aware, that it might affect all users (new link to bridge, new roomes, ...) Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). @@ -32,6 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml \ ## Troubleshooting +### Table Ownership A table ownership issue can occur if you are importing from a Synapse installation which was both: - migrated from SQLite to Postgres, and @@ -48,7 +50,7 @@ where `synapse_user` is the database username from the previous Synapse installa This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username: ```Shell -$ grep "ALTER TABLE" homeserver.sql" +$ grep "ALTER TABLE" homeserver.sql ALTER TABLE public.access_tokens OWNER TO synapse_user; ALTER TABLE public.account_data OWNER TO synapse_user; ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user; @@ -60,10 +62,10 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql +$ sed -i "s/OWNER TO synapse_user;/OWNER TO synapse;/g" homeserver.sql ``` -This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. +This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse_user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. Expand search/replace statement as shown in example above, in case of old user name like `matrix` - replacing `matrix` only would... well - you can imagine. Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as: @@ -71,6 +73,8 @@ Note that if the previous import failed with an error it may have made changes w ERROR: relation \"access_tokens\" already exists ``` +### Repeat import + In this case you can use the command suggested in the import task to clear the database before retrying the import: ```Shell @@ -79,4 +83,20 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. + +If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. +``` +"ERROR: role synapse does not exist" +``` + +Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) + +``` +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +``` + +### Hints + +To open psql terminal run `/usr/local/bin/matrix-postgres-cli` diff --git a/docs/self-building.md b/docs/self-building.md index 82726bb7..ef851f22 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,14 +15,17 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse-admin` - `matrix-client-element` - `matrix-client-hydrogen` +- `matrix-client-cinny` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` +- `matrix-dimension` - `matrix-ma1sd` - `matrix-mailer` - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` - `matrix-bridge-appservice-webhooks` +- `matrix-bridge-beeper-linkedin` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-googlechat` @@ -31,6 +34,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` +- `matrix-bot-honoroit` - `matrix-bot-matrix-reminder-bot` - `matrix-email2matrix` diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index c6d2841b..6370cb01 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -27,6 +27,10 @@ matrix.DOMAIN.tld { not path /matrix/static-files/* } + @wellknown { + path /.well-known/matrix/* + } + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -69,6 +73,15 @@ matrix.DOMAIN.tld { } } + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + handle { encode zstd gzip @@ -102,17 +115,17 @@ element.DOMAIN.tld { # tls your@email.com header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } handle { encode zstd gzip diff --git a/examples/vars.yml b/examples/vars.yml index f6c86be9..f5776962 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -10,6 +10,14 @@ # Example value: example.com matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE +# The Matrix homeserver software to install. +# See `roles/matrix-base/defaults/main.yml` for valid options. +matrix_homeserver_implementation: synapse + +# A secret used as a base, for generating various other secrets. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_homeserver_generic_secret_key: '' + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -20,14 +28,6 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # Example value: someone@example.com matrix_ssl_lets_encrypt_support_email: '' -# A shared secret (between Coturn and Synapse) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: '' - -# A secret used to protect access keys issued by the server. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 377c27cd..835b9245 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -21,7 +21,24 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matri # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. # This is because we explicitly disable them for the main Synapse process. -matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}" +matrix_homeserver_container_url: |- + {{ + 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} + +matrix_homeserver_container_federation_url: |- + {{ + 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} + +matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" +matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" ###################################################################### # @@ -72,21 +89,21 @@ matrix_appservice_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,18 +128,18 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -143,32 +160,32 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false -matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -185,7 +202,7 @@ matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_appservice_irc_enabled: false -matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -200,17 +217,17 @@ matrix_appservice_irc_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -229,26 +246,28 @@ matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_beeper_linkedin_enabled: false +matrix_beeper_linkedin_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -271,16 +290,16 @@ matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -289,7 +308,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -313,16 +332,16 @@ matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -330,7 +349,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -354,16 +373,16 @@ matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -371,7 +390,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -395,16 +414,16 @@ matrix_mautrix_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -413,7 +432,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -435,7 +454,7 @@ matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -448,17 +467,17 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" -matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -476,26 +495,26 @@ matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'a matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -503,7 +522,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -511,6 +530,45 @@ matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_ke # ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-twitter +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_twitter_enabled: false + +matrix_mautrix_twitter_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_twitter_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_twitter_appservice_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" + +matrix_mautrix_twitter_homeserver_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" + +matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. +matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-twitter +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -526,22 +584,22 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -562,15 +620,15 @@ matrix_sms_bridge_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -587,13 +645,13 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -619,22 +677,22 @@ matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -658,22 +716,22 @@ matrix_mx_puppet_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -696,16 +754,16 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -713,7 +771,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -737,22 +795,22 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -775,22 +833,22 @@ matrix_mx_puppet_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -813,22 +871,22 @@ matrix_mx_puppet_steam_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -851,22 +909,22 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -887,17 +945,17 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" -matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -905,6 +963,37 @@ matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != # ###################################################################### +###################################################################### +# +# matrix-bot-honoroit +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_honoroit_enabled: false + +matrix_bot_honoroit_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" + +###################################################################### +# +# /matrix-bot-honoroit +# +###################################################################### + ###################################################################### # @@ -919,7 +1008,7 @@ matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -948,7 +1037,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -982,10 +1071,9 @@ matrix_corporal_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-synapse.service']) + (['matrix-' + matrix_homeserver_implementation + '.service']) }} -# This goes to Synapse's vhost matrix_corporal_matrix_homeserver_api_endpoint: "{{ matrix_homeserver_container_url }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -1015,6 +1103,8 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" + matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" @@ -1045,30 +1135,29 @@ matrix_coturn_container_additional_volumes: | matrix_dimension_enabled: false +matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" - -matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" -matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1093,7 +1182,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1152,9 +1241,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1248,7 +1337,7 @@ matrix_ma1sd_systemd_required_services_list: | matrix_ma1sd_systemd_wanted_services_list: | {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1257,7 +1346,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1280,7 +1369,13 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- + {{ + { + 'synapse': matrix_synapse_max_upload_size_mb, + 'dendrite': (matrix_dendrite_max_file_size_bytes / 1024 / 1024) | round, + }[matrix_homeserver_implementation]|int + }} matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" @@ -1289,6 +1384,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1305,19 +1401,29 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- + {{ + { + 'synapse': (matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled), + 'dendrite': matrix_dendrite_federation_enabled, + }[matrix_homeserver_implementation]|bool + }} + matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" -# Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" - matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" - matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" + # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -1355,13 +1461,29 @@ matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_worker matrix_nginx_proxy_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + + (['matrix-client-element.service'] if matrix_client_element_enabled else []) + + + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + + + (['matrix-grafana.service'] if matrix_grafana_enabled else []) + + + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + + + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + + + (['matrix-etherpad.service'] if matrix_etherpad_enabled and matrix_dimension_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | @@ -1374,6 +1496,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1431,6 +1555,52 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_database_password, }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ + 'name': matrix_dendrite_naffka_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_appservice_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_federationsender_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_keyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mediaapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_room_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_singingkeyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_syncapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_account_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_device_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mscs_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -1443,6 +1613,12 @@ matrix_postgres_additional_databases: | 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_bot_honoroit_database_name, + 'username': matrix_bot_honoroit_database_username, + 'password': matrix_bot_honoroit_database_password, + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, @@ -1509,6 +1685,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_twitter_database_name, + 'username': matrix_mautrix_twitter_database_username, + 'password': matrix_mautrix_twitter_database_password, + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, @@ -1711,12 +1893,41 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl +###################################################################### +# +# matrix-client-cinny +# +###################################################################### + +matrix_client_cinny_enabled: false + +matrix_client_cinny_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" + +matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-cinny +# +###################################################################### + + + ###################################################################### # # matrix-synapse # ###################################################################### +matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. @@ -1746,7 +1957,9 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" + +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -1832,7 +2045,7 @@ matrix_synapse_admin_enabled: false # Synapse Admin's HTTP port to the local host. matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" -matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -1897,7 +2110,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -1932,6 +2145,12 @@ matrix_grafana_dashboard_download_urls_all: | (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) }} +matrix_grafana_systemd_wanted_services_list: | + {{ + [] + + + (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + }} ###################################################################### # @@ -1956,7 +2175,13 @@ matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" -matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}" +matrix_registration_shared_secret: |- + {{ + { + 'synapse': matrix_synapse_registration_shared_secret, + 'dendrite': matrix_dendrite_registration_shared_secret, + }[matrix_homeserver_implementation] + }} matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" @@ -1973,7 +2198,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # @@ -2009,3 +2234,69 @@ matrix_postgres_backup_databases: | # /matrix-postgres-backup # ###################################################################### + +###################################################################### +# +# matrix-dendrite +# +###################################################################### + +matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, +# you can expose Dendrite's ports to the host. +# +# For exposing Dendrite's plain HTTP server to the local host. +matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port|string) }}" +# +# For exposing Dendrite's HTTPS server to the local host. +matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" + +matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" + +matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" + +matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" + +# Even if TURN doesn't support TLS (it does by default), +# it doesn't hurt to try a secure connection anyway. +matrix_dendrite_turn_uris: | + {{ + [ + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" + +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" + +matrix_dendrite_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_dendrite_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + }} + +###################################################################### +# +# /matrix-dendrite +# +###################################################################### diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml index fb9f56ae..1b61797e 100755 --- a/roles/matrix-awx/defaults/main.yml +++ b/roles/matrix-awx/defaults/main.yml @@ -1 +1,6 @@ matrix_awx_enabled: true + +# Defaults for 'Customise Website + Access Export' template +awx_sftp_auth_method: 'Disabled' +awx_sftp_password: '' +awx_sftp_public_key: '' diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index adc158c7..6ac39a49 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,9 +8,9 @@ tags: - always -# Renames the variables if needed +# Renames or updates the vars.yml if needed - include_tasks: - file: "rename_variables.yml" + file: "update_variables.yml" apply: tags: always when: run_setup|bool and matrix_awx_enabled|bool diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml deleted file mode 100644 index 339510f0..00000000 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Collect entire room list into stdout - shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/rooms?from={{ item }}' - register: awx_rooms_output - -- name: Print stdout to file - delegate_to: 127.0.0.1 - shell: | - echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 2cdf0330..f29061fb 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 0c322b85..c836d16c 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,21 +21,22 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True - name: Generate list of dates to purge to delegate_to: 127.0.0.1 - shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" + shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}" register: awx_purge_dates - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_before when: awx_purge_media_type == "Local Media" + async: 600 ignore_errors: yes no_log: True @@ -43,6 +44,7 @@ shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_before when: awx_purge_media_type == "Remote Media" + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml deleted file mode 100644 index e664325f..00000000 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Rename synapse presence variable - delegate_to: 127.0.0.1 - replace: - path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" - regexp: 'matrix_synapse_use_presence' - replace: 'matrix_synapse_presence_enabled' diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 510b9f9e..a7b0cb3a 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -50,12 +50,14 @@ - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_stat + async: 600 ignore_errors: yes no_log: True - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_stat + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index d5e51c6b..eee4e6f2 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of Dimension user +- name: Collect access token of @admin-dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-awx/tasks/update_variables.yml b/roles/matrix-awx/tasks/update_variables.yml new file mode 100644 index 00000000..9818a9c2 --- /dev/null +++ b/roles/matrix-awx/tasks/update_variables.yml @@ -0,0 +1,26 @@ +--- + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + +- name: Generate matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + command: | + openssl rand -hex 16 + register: generic_secret + no_log: True + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) + +- name: Add new matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_homeserver_generic_secret_key: {{ generic_secret.stdout }}" + insertbefore: '# Basic Settings End' + mode: '0600' + state: present + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6639c223..be403de7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -7,6 +7,18 @@ # Example value: example.com matrix_domain: ~ +# This will contain the homeserver implementation that is in use. +# Valid values: synapse, dendrite +# +# By default, we use Synapse, because it's the only full-featured Matrix server at the moment. +# +# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.). +# The homeserver implementation of an existing server cannot be changed without data loss. +matrix_homeserver_implementation: synapse + +# This contains a secret, which is used for generating various other secrets later on. +matrix_homeserver_generic_secret_key: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" @@ -21,6 +33,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" +# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default). +matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" @@ -88,11 +103,16 @@ matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" -# Specifies where the homeserver is on the container network. -# Where this is depends on whether there's a reverse-proxy in front of it, etc. +# Specifies where the homeserver's Client-Server API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. # This likely gets overriden elsewhere. matrix_homeserver_container_url: "" +# Specifies where the homeserver's Federation API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. +# This likely gets overriden elsewhere. +matrix_homeserver_container_federation_url: "" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ @@ -118,6 +138,72 @@ matrix_client_element_e2ee_secure_backup_required: false # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md matrix_client_element_e2ee_secure_backup_setup_methods: [] +# Default `/.well-known/matrix/client` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_client_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_client_configuration_extension_json: | +# { +# "io.element.call_behaviour": { +# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state" +# } +# } +matrix_well_known_matrix_client_configuration_extension_json: '{}' + +matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`. +matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}" + +# Default `/.well-known/matrix/server` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_server_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_server_configuration_extension_json: | +# { +# "something": "another" +# } +matrix_well_known_matrix_server_configuration_extension_json: '{}' + +matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`. +matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}" + # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -152,6 +238,7 @@ run_synapse_register_user: true run_synapse_update_user_password: true run_synapse_import_media_store: true run_synapse_rust_synapse_compress_state: true +run_dendrite_register_user: true run_setup: true run_self_check: true run_start: true diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 4af3564c..f9db37b3 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -31,4 +31,5 @@ - setup-all - setup-ma1sd - setup-synapse + - setup-dendrite - setup-nginx-proxy diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 265dc282..f78510d7 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,5 +1,10 @@ --- +- name: Fail if invalid homeserver implementation + fail: + msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite']" + # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 fail: @@ -28,14 +33,29 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} +# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. +- name: Fail if matrix_homeserver_generic_secret_key is undefined + fail: + msg: | + The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. + + If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + + If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding + `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` + to your `vars.yml` file. Using another secret value for the new variable is also possible and shouldn't cause any trouble. + when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" + - name: Fail if required variables are undefined fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" + msg: "The `{{ item.var }}` variable must be defined and have a non-null and non-empty value" with_items: - - matrix_domain - - matrix_server_fqn_matrix - - matrix_server_fqn_element - when: "item not in vars or vars[item] is none" + - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} + - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} + - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url|default('') }}"} + - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url|default('') }}"} + when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used fail: diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index d08cafc0..6c5cdff8 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,8 +4,6 @@ pacman: name: - python-docker - # TODO This needs to be verified. Which version do we need? - - fuse3 - python-dnspython state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 07776d7f..cbf7fbc6 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml index 01666197..e6127f47 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos8.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -28,7 +28,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes @@ -44,4 +43,4 @@ pip: name: docker-py state: latest - when: matrix_docker_installation_enabled|bool \ No newline at end of file + when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 37706d1f..1cd7ac41 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 421905a0..4aed3c76 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 3b81ce1e..11ee48b9 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -13,16 +13,16 @@ - "{{ matrix_static_files_base_path }}/.well-known/matrix" - name: Ensure Matrix /.well-known/matrix/client file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + copy: + content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + copy: + content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" diff --git a/roles/matrix-base/tasks/util/ensure_fuse_installed.yml b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml new file mode 100644 index 00000000..948c6082 --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure fuse installed (CentOS) + yum: + name: + - fuse + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure fuse installed (Debian/Raspbian) + apt: + name: + - fuse + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure fuse installed (Archlinux) + pacman: + name: + - fuse3 + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-base/tasks/util/ensure_openssl_installed.yml b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml new file mode 100644 index 00000000..39442bca --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure openssl installed (CentOS) + yum: + name: + - openssl + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure openssl installed (Debian/Raspbian) + apt: + name: + - openssl + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure openssl installed (Archlinux) + pacman: + name: + - openssl + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml deleted file mode 100644 index 8bb3fca0..00000000 --- a/roles/matrix-base/tasks/validate_config.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Fail if required Matrix Base settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using this playbook. - when: "vars[item] == ''" - with_items: - - "matrix_homeserver_container_url" \ No newline at end of file diff --git a/roles/matrix-base/vars/main.yml b/roles/matrix-base/vars/main.yml index e4e9c166..8b99708b 100644 --- a/roles/matrix-base/vars/main.yml +++ b/roles/matrix-base/vars/main.yml @@ -1,3 +1,3 @@ # This will contain a list of enabled services that the playbook is managing. # Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] \ No newline at end of file +matrix_systemd_services_list: [] diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 4dd4f1f6..c5a1f636 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -203,8 +203,8 @@ matrix_bot_go_neb_services: [] # # Each room will get the notification with the alert rendered with the given template # rooms: # "!someroomid:domain.tld": -# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" -# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" +# html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" # msg_type: "m.text" # Must be either `m.text` or `m.notice` # Default configuration template which covers the generic use case. diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index eabf1137..056447eb 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -39,8 +39,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ {{ matrix_bot_go_neb_docker_image }} \ -c "go-neb /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml new file mode 100644 index 00000000..a9ea993f --- /dev/null +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -0,0 +1,109 @@ +# honoroit is a helpdesk bot +# See: https://gitlab.com/etke.cc/honoroit + +matrix_bot_honoroit_enabled: true + +matrix_bot_honoroit_container_image_self_build: false +matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" +matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" + +matrix_bot_honoroit_version: v0.9.3 +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" + +matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" +matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" +matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" +matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" + +# A list of extra arguments to pass to the container +matrix_bot_honoroit_container_extra_arguments: [] + +# List of systemd services that matrix-bot-honoroit.service depends on +matrix_bot_honoroit_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-honoroit.service wants +matrix_bot_honoroit_systemd_wanted_services_list: [] + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_bot_honoroit_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_bot_honoroit_database_*` variables +matrix_bot_honoroit_database_engine: 'sqlite' + +matrix_bot_honoroit_sqlite_database_path_local: "{{ matrix_bot_honoroit_data_path }}/bot.db" +matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_honoroit_database_username: 'honoroit' +matrix_bot_honoroit_database_password: 'some-password' +matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_port: 5432 +matrix_bot_honoroit_database_name: 'honoroit' + +matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable' + +matrix_bot_honoroit_storage_database: "{{ + { + 'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container, + 'postgres': matrix_bot_honoroit_database_connection_string, + }[matrix_bot_honoroit_database_engine] +}}" + +matrix_bot_honoroit_database_dialect: "{{ + { + 'sqlite': 'sqlite3', + 'postgres': 'postgres', + }[matrix_bot_honoroit_database_engine] +}}" + + +# The bot's username. This user needs to be created manually beforehand. +# Also see `matrix_bot_honoroit_password`. +matrix_bot_honoroit_login: "honoroit" + +# The password that the bot uses to authenticate. +matrix_bot_honoroit_password: '' + +matrix_bot_honoroit_homeserver: "{{ matrix_homeserver_container_url }}" + +# The room ID where bot will create threads +matrix_bot_honoroit_roomid: '' + +# Command prefix +matrix_bot_honoroit_prefix: '' + +# Sentry DSN +matrix_bot_honoroit_sentry: '' + +# Log level +matrix_bot_honoroit_loglevel: '' + +# Text prefix: open +matrix_bot_honoroit_text_prefix_open: '' + +# Text prefix: done +matrix_bot_honoroit_text_prefix_done: '' + +# Text: greetings +matrix_bot_honoroit_text_greetings: '' + +# Text: error +matrix_bot_honoroit_text_error: '' + +# Text: empty room +matrix_bot_honoroit_text_emptyroom: '' + +# Text: done +matrix_bot_honoroit_text_done: '' + +# Additional environment variables to pass to the Honoroit container +# +# Example: +# matrix_bot_honoroit_environment_variables_extension: | +# HONOROIT_TEXT_DONE=Done +matrix_bot_honoroit_environment_variables_extension: '' diff --git a/roles/matrix-bot-honoroit/tasks/init.yml b/roles/matrix-bot-honoroit/tasks/init.yml new file mode 100644 index 00000000..1b652e56 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" + when: matrix_bot_honoroit_enabled|bool diff --git a/roles/matrix-bot-honoroit/tasks/main.yml b/roles/matrix-bot-honoroit/tasks/main.yml new file mode 100644 index 00000000..bc5c1490 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml new file mode 100644 index 00000000..0d2d325b --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -0,0 +1,92 @@ +--- +- set_fact: + matrix_bot_honoroit_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + register: matrix_bot_honoroit_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + dst: "{{ matrix_bot_honoroit_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_bot_honoroit_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-bot-honoroit.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_bot_honoroit_requires_restart: true + when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_bot_honoroit_database_engine == 'postgres'" + +- name: Ensure honoroit paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_honoroit_config_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_store_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} + when: "item.when|bool" + +- name: Ensure honoroit environment variables file created + template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/env" + mode: 0640 + +- name: Ensure honoroit image is pulled + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" + when: "not matrix_bot_honoroit_container_image_self_build|bool" + +- name: Ensure honoroit repository is present on self-build + git: + repo: "{{ matrix_bot_honoroit_docker_repo }}" + dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" + force: "yes" + register: matrix_bot_honoroit_git_pull_results + when: "matrix_bot_honoroit_container_image_self_build|bool" + +- name: Ensure honoroit image is built + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: build + force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_honoroit_docker_src_files_path }}" + pull: yes + when: "matrix_bot_honoroit_container_image_self_build|bool" + +- name: Ensure matrix-bot-honoroit.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + mode: 0644 + register: matrix_bot_honoroit_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation + service: + daemon_reload: yes + when: "matrix_bot_honoroit_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-honoroit.service restarted, if necessary + service: + name: "matrix-bot-honoroit.service" + state: restarted + when: "matrix_bot_honoroit_requires_restart|bool" diff --git a/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml new file mode 100644 index 00000000..afad2cc1 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-honoroit service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + register: matrix_bot_honoroit_service_stat + +- name: Ensure matrix-honoroit is stopped + service: + name: matrix-bot-honoroit + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-honoroit.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + state: absent + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal + service: + daemon_reload: yes + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure Matrix honoroit paths don't exist + file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent + +- name: Ensure honoroit Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + state: absent diff --git a/roles/matrix-bot-honoroit/tasks/validate_config.yml b/roles/matrix-bot-honoroit/tasks/validate_config.yml new file mode 100644 index 00000000..562bf9fb --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_bot_honoroit_password" + - "matrix_bot_honoroit_roomid" diff --git a/roles/matrix-bot-honoroit/templates/env.j2 b/roles/matrix-bot-honoroit/templates/env.j2 new file mode 100644 index 00000000..fdd9b13d --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/env.j2 @@ -0,0 +1,17 @@ +HONOROIT_LOGIN={{ matrix_bot_honoroit_login }} +HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }} +HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }} +HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }} +HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }} +HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} +HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} +HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} +HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} +HONOROIT_TEXT_PREFIX_OPEN={{ matrix_bot_honoroit_text_prefix_open }} +HONOROIT_TEXT_PREFIX_DONE={{ matrix_bot_honoroit_text_prefix_done }} +HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} +HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} +HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} +HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }} + +{{ matrix_bot_honoroit_environment_variables_extension }} diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 new file mode 100644 index 00000000..c4eb1a94 --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix helpdesk bot +{% for service in matrix_bot_honoroit_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_honoroit_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_bot_honoroit_config_path }}/env \ + --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ + {% for arg in matrix_bot_honoroit_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_honoroit_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-honoroit + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 3e955673..419e3cca 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_container_image_self_build: false matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index dada8167..bd33326f 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -46,7 +46,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "not matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot repository is present on self-build git: @@ -54,7 +54,7 @@ dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" force: "yes" register: matrix_bot_matrix_reminder_bot_git_pull_results - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot image is built docker_image: @@ -66,7 +66,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" pull: yes - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 983e7166..8963a312 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_bot_matrix_reminder_bot_matrix_user_password" - "matrix_bot_matrix_reminder_bot_reminders_timezone" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_matrix_reminder_bot_container_self_build', 'new': 'matrix_bot_matrix_reminder_bot_container_image_self_build'} diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index b1fe3c32..14b5fa45 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem {{ matrix_bot_matrix_reminder_bot_docker_image }} \ -c "matrix-reminder-bot /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 6e7331c4..72c68502 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,14 +3,13 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.1.20" +matrix_bot_mjolnir_version: "v1.2.1" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" - matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 0b018f25..b2298312 100644 --- a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ {% endfor %} {{ matrix_bot_mjolnir_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-mjolnir diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 9b9284dc..92a51a31 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # # To use Postgres: # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables +# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables matrix_appservice_discord_database_engine: 'sqlite' matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 84dee801..8f61bd9f 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 57604b19..25b0a241 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_container_image_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index e1355796..b90d93a5 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 75af882a..63ee6621 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + - name: Ensure Appservice IRC paths exist file: path: "{{ item.path }}" @@ -11,7 +13,7 @@ - { path: "{{ matrix_appservice_irc_base_path }}", when: true } - { path: "{{ matrix_appservice_irc_config_path }}", when: true } - { path: "{{ matrix_appservice_irc_data_path }}", when: true } - - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_image_self_build }}" } when: item.when|bool - name: Check if an old passkey file already exists @@ -61,7 +63,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc repository is present when self-building git: @@ -69,7 +71,7 @@ dest: "{{ matrix_appservice_irc_docker_src_files_path }}" force: "yes" register: matrix_appservice_irc_git_pull_results - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc Docker image is built docker_image: @@ -81,7 +83,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" pull: yes - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index bd08427c..303f2640 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,3 +33,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} + - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 8650bd8d..2c26c782 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 4f4d5e2f..b1c98d2a 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,11 +3,11 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_version: release-1.8.0 +matrix_appservice_slack_version: release-1.10.0 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 0584e624..7f251ec5 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. @@ -44,7 +44,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b170fcb8..8c5a1eed 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_slack_base_path }}", when: true } - { path: "{{ matrix_appservice_slack_config_path }}", when: true } - { path: "{{ matrix_appservice_slack_data_path }}", when: true } - - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_image_self_build }}" } when: item.when|bool - set_fact: @@ -37,7 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" - when: "not matrix_appservice_slack_container_self_build|bool" + when: "not matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -45,7 +45,7 @@ dest: "{{ matrix_appservice_slack_docker_src_files_path }}" force: "yes" register: matrix_appservice_slack_git_pull_results - when: "matrix_appservice_slack_container_self_build|bool" + when: "matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack Docker image is built docker_image: @@ -57,7 +57,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" pull: yes - when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + when: "matrix_appservice_slack_container_image_self_build|bool and matrix_appservice_slack_git_pull_results.changed" - name: Ensure Matrix Appservice Slack config installed copy: diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index e02c6ab0..1866c312 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -11,3 +11,12 @@ - "matrix_appservice_slack_homeserver_url" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_slack_container_self_build', 'new': 'matrix_appservice_slack_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index bf8072c1..96e68967 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -5,9 +5,9 @@ bot_username: "{{ matrix_appservice_slack_bot_name }}" username_prefix: {{ matrix_appservice_slack_user_prefix }} homeserver: - media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" - url: "{{ matrix_appservice_slack_homeserver_url }}" server_name: "{{ matrix_domain }}" + url: "{{ matrix_appservice_slack_homeserver_url }}" + media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" {% if matrix_appservice_slack_database_engine == 'nedb' %} dbdir: "/data" diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 21ba27ef..9bf73711 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-sla {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 25419900..f987c087 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -1,15 +1,15 @@ # matrix-appservice-webhooks is a Matrix <-> webhook bridge -# See: https://github.com/turt2live/matrix-appservice-webhooks +# See: https://github.com/redoonetworks/matrix-appservice-webhooks matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_container_image_self_build: false -matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks" +matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/redoonetworks/matrix-appservice-webhooks" matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_version: v1.0.3-01 +matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" @@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" -# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source -matrix_appservice_webhooks_control_room_id: '' matrix_appservice_webhooks_bot_name: 'webhookbot' matrix_appservice_webhooks_user_prefix: '_webhook' diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index a42e14c9..7f49e8b6 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -37,7 +37,7 @@ msg: >- Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index f27111b3..a227387a 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-web {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 8df6c38f..34c9c3cb 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -3,14 +3,22 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.1 +matrix_beeper_linkedin_version: v0.5.2 + # See: https://gitlab.com/beeper/linkedin/container_registry -matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" -matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" +matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" +matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image_tag.startswith('latest') }}" +matrix_beeper_linkedin_docker_image_name_prefix: "{{ 'localhost/' if matrix_beeper_linkedin_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_beeper_linkedin_docker_image_tag: "{{ 'latest' if matrix_beeper_linkedin_version == 'master' else matrix_beeper_linkedin_version }}-{{ matrix_architecture }}" + +matrix_beeper_linkedin_container_image_self_build: false +matrix_beeper_linkedin_container_image_self_build_repo: "https://gitlab.com/beeper/linkedin" +matrix_beeper_linkedin_container_image_self_build_branch: "{{ matrix_beeper_linkedin_version }}" matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin" matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config" matrix_beeper_linkedin_data_path: "{{ matrix_beeper_linkedin_base_path }}/data" +matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_path }}/docker-src" matrix_beeper_linkedin_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 97d05a45..c873d0c2 100644 --- a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -7,6 +7,20 @@ msg: >- The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure Beeper LinkedIn paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_beeper_linkedin_base_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_config_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_data_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_docker_src_files_path }}", when: "{{ matrix_beeper_linkedin_container_image_self_build }}" } + when: "item.when|bool" + - name: Ensure Beeper LinkedIn image is pulled docker_image: @@ -14,18 +28,42 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_beeper_linkedin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_docker_image_force_pull }}" + when: "not matrix_beeper_linkedin_container_image_self_build|bool" -- name: Ensure Beeper LinkedIn paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_beeper_linkedin_base_path }}" - - "{{ matrix_beeper_linkedin_config_path }}" - - "{{ matrix_beeper_linkedin_data_path }}" +- block: + - name: Ensure Beeper LinkedIn repository is present on self-build + git: + repo: "{{ matrix_beeper_linkedin_container_image_self_build_repo }}" + dest: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + version: "{{ matrix_beeper_linkedin_container_image_self_build_branch }}" + force: "yes" + register: matrix_beeper_linkedin_git_pull_results + + # Building the container image (using the default Dockerfile) requires that a docker-requirements.txt file be generated. + # See: https://gitlab.com/beeper/linkedin/-/blob/94442db17ccb9769b377cdb8e4bf1cb3955781d7/.gitlab-ci.yml#L30-40 + - name: Ensure docker-requirements.txt is generated before building Beeper LinkedIn Docker Image + command: | + {{ matrix_host_command_docker }} run \ + --rm \ + --entrypoint=/bin/sh \ + --mount type=bind,src={{ matrix_beeper_linkedin_docker_src_files_path }},dst=/work \ + -w /work \ + docker.io/python:3.9.6-buster \ + -c "pip install poetry && poetry export --without-hashes -E e2be -E images -E metrics | sed 's/==.*//g' > docker-requirements.txt" + + - name: Ensure Beeper LinkedIn Docker image is built + docker_image: + name: "{{ matrix_beeper_linkedin_docker_image }}" + source: build + force_source: "{{ matrix_beeper_linkedin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + pull: yes + args: + TARGETARCH: "{{ matrix_architecture }}" + when: "matrix_beeper_linkedin_container_image_self_build|bool" - name: Ensure beeper-linkedin config.yaml installed copy: diff --git a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 index 4498b4f0..84e4a9c2 100644 --- a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 +++ b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-beeper-linkedi {{ matrix_beeper_linkedin_docker_image }} \ python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-beeper-linkedin diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 9a769432..6772c364 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.7.0 +matrix_heisenbridge_version: 1.10.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index e27b88f1..6a0750bf 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -41,8 +41,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --listen-port 9898 \ {{ matrix_heisenbridge_homeserver_url }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-heisenbridge Restart=always RestartSec=30 SyslogIdentifier=matrix-heisenbridge diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 2b453bab..5d83e9cc 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: '' # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index f3af4b9f..07ee8fb7 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml index 22f863ff..02bef16a 100644 --- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables matrix_mautrix_googlechat_database_engine: 'sqlite' matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml index c12fcd3c..5c8d82bf 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 index c56473be..5a6ab799 100644 --- a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-google {{ matrix_mautrix_googlechat_docker_image }} \ python3 -m mautrix_googlechat -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fa46d33c..013e1d14 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables matrix_mautrix_hangouts_database_engine: 'sqlite' matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 6cc194fe..59756ec9 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 60f0e055..66f34d94 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index a648018e..a3783328 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" -matrix_mautrix_instagram_version: latest +matrix_mautrix_instagram_version: v0.1.2 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" @@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index db57bd0d..ac14754c 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -43,7 +43,7 @@ appservice: bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. - bot_displayname: instagram bridge bot + bot_displayname: Instagram bridge bot bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv # Community ID for bridged users (changes registration file) and rooms. diff --git a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 index 33a5bab3..0157accc 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-instag {{ matrix_mautrix_instagram_docker_image }} \ python3 -m mautrix_instagram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-instagram diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93993fa1..ceaa9b87 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,21 +3,21 @@ matrix_mautrix_signal_enabled: true -matrix_mautrix_signal_container_self_build: false +matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: latest -matrix_mautrix_signal_daemon_version: latest +matrix_mautrix_signal_version: v0.2.2 +matrix_mautrix_signal_daemon_version: 0.16.1 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_container_image_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" +matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 88710868..1a9b2915 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "not matrix_mautrix_signal_container_self_build|bool" + when: "not matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal repository is present on self-build @@ -23,19 +23,19 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: name: "{{ matrix_mautrix_signal_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is pulled @@ -44,7 +44,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_image_self_build|bool register: matrix_mautrix_signal_daemon_pull_results - name: Ensure Mautrix Signal Daemon repository is present on self-build @@ -53,19 +53,19 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: name: "{{ matrix_mautrix_signal_daemon_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal paths exist file: diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 100af3f8..108ac044 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -26,3 +26,5 @@ - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': ''} + - {'old': 'matrix_mautrix_signal_container_self_build', 'new': 'matrix_mautrix_signal_container_image_self_build'} + - {'old': 'matrix_mautrix_signal_daemon_container_self_build', 'new': 'matrix_mautrix_signal_daemon_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 19c3ba05..0498d6ea 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -15,6 +15,8 @@ homeserver: # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. # The bridge will use the appservice as_token to authorize requests. status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -32,25 +34,19 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. Only Postgres is currently supported. + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname database: {{ matrix_mautrix_signal_database_connection_string }} - # Additional arguments for asyncpg.create_pool() + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. database_opts: min_size: 5 max_size: 10 - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: true - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - # The unique ID of this appservice. id: signal # Username of the appservice bot. @@ -66,7 +62,12 @@ appservice: # Example: "+signal:example.com". Set to false to disable. community_id: false - # Authentication tokens for AS <-> HS communication. + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_signal_appservice_token }}" hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" @@ -75,6 +76,17 @@ metrics: enabled: false listen_port: 8000 +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-signal.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + signal: # Path to signald unix socket socket_path: /signald/signald.sock @@ -91,6 +103,8 @@ signal: delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true + # Whether or not users can register a primary device + registration_enabled: true # Bridge config bridge: @@ -102,6 +116,7 @@ bridge: # available variable in displayname_preference. The variables in displayname_preference # can also be used here directly. displayname_template: "{displayname} (Signal)" + # Whether or not contact list displaynames should be used. # Possible values: disallow, allow, prefer # # Multi-user instances are recommended to disallow contact list names, as otherwise there can @@ -140,7 +155,7 @@ bridge: # If false, created portal rooms will never be federated. federate_rooms: true # End-to-bridge encryption support options. You must install the e2be optional dependency for - # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -173,12 +188,38 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false - # Interval at which to resync contacts. + # Interval at which to resync contacts (in seconds). periodic_sync: 0 + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Signal bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `register` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. # Permitted values: # relay - Allowed to be relayed through the bridge, no access to commands. diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 6f128da3..314bba6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -30,8 +30,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e3e02424..0d3eb9b8 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -26,6 +26,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --tmpfs /tmp \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} @@ -37,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ matrix_mautrix_signal_docker_image }} \ python3 -m mautrix_signal -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index a105621a..bcdcfdd8 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,17 +3,17 @@ matrix_mautrix_telegram_enabled: true -matrix_telegram_lottieconverter_container_self_build: false -matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_container_image_self_build: false +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.15" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram -matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.1 +matrix_mautrix_telegram_version: v0.11.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" @@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables matrix_mautrix_telegram_database_engine: 'sqlite' matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" @@ -130,3 +130,8 @@ matrix_mautrix_telegram_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" + +# Templates for defining MXID's and displaynames for users and rooms. +matrix_mautrix_telegram_username_template: 'telegram_{userid}' +matrix_mautrix_telegram_alias_template: 'telegram_{groupname}' +matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)' diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 84ac86d0..662ea1c3 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1e87f1ae..1e34e2cd 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_image_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled @@ -54,7 +54,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter is present when self-building git: @@ -62,7 +62,7 @@ dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" force: "yes" register: matrix_telegram_lottieconverter_git_pull_results - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" pull: yes - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -82,7 +82,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: @@ -93,10 +93,10 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + pull: "{{ not matrix_telegram_lottieconverter_container_image_self_build_mask_arch|bool }}" args: TARGETARCH: "" - when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" + when: "matrix_mautrix_telegram_container_image_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 5b1f3b00..2067b97b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -20,3 +20,6 @@ when: "item.old in vars" with_items: - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} + - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build_mask_arch', 'new': 'matrix_telegram_lottieconverter_container_image_self_build_mask_arch'} diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 39a18462..94694351 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -69,13 +69,16 @@ appservice: bridge: # Localpart template of MXIDs for Telegram users. # {userid} is replaced with the user ID of the Telegram user. - username_template: "telegram_{userid}" + # Default: telegram_{userid} + username_template: {{ matrix_mautrix_telegram_username_template|to_json }} # Localpart template of room aliases for Telegram portal rooms. # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) - alias_template: "telegram_{groupname}" + # Default: telegram_{groupname} + alias_template: {{ matrix_mautrix_telegram_alias_template|to_json }} # Displayname template for Telegram users. # {displayname} is replaced with the display name of the Telegram user. - displayname_template: "{displayname} (Telegram)" + # Default: {displayname} (Telegram) + displayname_template: {{ matrix_mautrix_telegram_displayname_template|to_json }} # Set the preferred order of user identifiers which to use in the Matrix puppet display name. # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user @@ -222,17 +225,6 @@ bridge: # notices from users listed here will be bridged. exceptions: [] - # Some config options related to Telegram message deduplication. - # The default values are usually fine, but some debug messages/warnings might recommend you - # change these. - deduplication: - # Whether or not to check the database if the message about to be sent is a duplicate. - pre_db_check: false - # The number of latest events to keep when checking for duplicates. - # You might need to increase this on high-traffic bridge instances. - cache_queue_length: 20 - - # The formats to use when sending messages to Telegram via the relay bot. # # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index ae1ac675..3f5cbd00 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -15,15 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' -ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_telegram_config_path }}:/config:z \ - -v {{ matrix_mautrix_telegram_data_path }}:/data:z \ - {{ matrix_mautrix_telegram_docker_image }} \ - alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -44,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml new file mode 100644 index 00000000..6a72706b --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -0,0 +1,103 @@ +# mautrix-twitter is a Matrix <-> Twitter bridge +# See: https://github.com/mautrix/twitter + +matrix_mautrix_twitter_enabled: true + +matrix_mautrix_twitter_container_image_self_build: false +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" + +matrix_mautrix_twitter_version: v0.1.3 +# See: https://mau.dev/tulir/mautrix-twitter/container_registry +matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" +matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}" + +matrix_mautrix_twitter_base_path: "{{ matrix_base_data_path }}/mautrix-twitter" +matrix_mautrix_twitter_config_path: "{{ matrix_mautrix_twitter_base_path }}/config" +matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data" +matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src" + +matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327' + +# A list of extra arguments to pass to the container +matrix_mautrix_twitter_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-twitter.service depends on. +matrix_mautrix_twitter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-twitter.service wants +matrix_mautrix_twitter_systemd_wanted_services_list: [] + +matrix_mautrix_twitter_appservice_token: '' +matrix_mautrix_twitter_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use Postgres: +# - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables +matrix_mautrix_twitter_database_engine: 'postgres' + +matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' +matrix_mautrix_twitter_database_password: 'some-password' +matrix_mautrix_twitter_database_hostname: 'matrix-postgres' +matrix_mautrix_twitter_database_port: 5432 +matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter' + +matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix_twitter_database_username }}:{{ matrix_mautrix_twitter_database_password }}@{{ matrix_mautrix_twitter_database_hostname }}:{{ matrix_mautrix_twitter_database_port }}/{{ matrix_mautrix_twitter_database_name }}' + +matrix_mautrix_twitter_appservice_database: "{{ + { + 'postgres': matrix_mautrix_twitter_database_connection_string, + }[matrix_mautrix_twitter_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_twitter_login_shared_secret: '' + +matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitter_homeserver_domain: matrix_mautrix_twitter_login_shared_secret} if matrix_mautrix_twitter_login_shared_secret else {} }}" + +matrix_mautrix_twitter_appservice_bot_username: twitterbot + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_twitter_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_twitter_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_twitter_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_twitter_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_twitter_configuration_yaml`. + +matrix_mautrix_twitter_configuration_extension: "{{ matrix_mautrix_twitter_configuration_extension_yaml|from_yaml if matrix_mautrix_twitter_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_twitter_configuration_yaml`. +matrix_mautrix_twitter_configuration: "{{ matrix_mautrix_twitter_configuration_yaml|from_yaml|combine(matrix_mautrix_twitter_configuration_extension, recursive=True) }}" + +matrix_mautrix_twitter_registration_yaml: | + id: twitter + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@twitter_.+:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_twitter_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_twitter_appservice_address }} + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_twitter_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml new file mode 100644 index 00000000..4f8df9e0 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}" + when: matrix_mautrix_twitter_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-twitter-registration.yaml"] }} + when: matrix_mautrix_twitter_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml new file mode 100644 index 00000000..60eea099 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" + tags: + - setup-all + - setup-mautrix-twitter + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" + tags: + - setup-all + - setup-mautrix-twitter + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_twitter_enabled|bool" + tags: + - setup-all + - setup-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml new file mode 100644 index 00000000..c27eeccd --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -0,0 +1,88 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_twitter_requires_restart: false + +- name: Ensure Mautrix Twitter image is pulled + docker_image: + name: "{{ matrix_mautrix_twitter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_twitter_docker_image_force_pull }}" + when: matrix_mautrix_twitter_enabled|bool and not matrix_mautrix_twitter_container_image_self_build + +- name: Ensure Mautrix Twitter paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_twitter_base_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_config_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_data_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_docker_src_files_path }}", when: "{{ matrix_mautrix_twitter_container_image_self_build }}" } + when: item.when|bool + +- name: Ensure Mautrix Twitter repository is present on self-build + git: + repo: "{{ matrix_mautrix_twitter_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_twitter_docker_src_files_path }}" +# version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_mautrix_twitter_git_pull_results + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build" + +- name: Ensure Mautrix Twitter Docker image is built + docker_image: + name: "{{ matrix_mautrix_twitter_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_twitter_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_twitter_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool" + +- name: Ensure mautrix-twitter config.yaml installed + copy: + content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-twitter registration.yaml installed + copy: + content: "{{ matrix_mautrix_twitter_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-twitter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" + mode: 0644 + register: matrix_mautrix_twitter_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_twitter_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-twitter.service restarted, if necessary + service: + name: "matrix-mautrix-twitter.service" + state: restarted + when: "matrix_mautrix_twitter_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml new file mode 100644 index 00000000..28819726 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-twitter service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" + register: matrix_mautrix_twitter_service_stat + +- name: Ensure matrix-mautrix-twitter is stopped + service: + name: matrix-mautrix-twitter + state: stopped + daemon_reload: yes + when: "matrix_mautrix_twitter_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-twitter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" + state: absent + when: "matrix_mautrix_twitter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_twitter_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml new file mode 100644 index 00000000..114fd2cf --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -0,0 +1,18 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_twitter_appservice_token" + - "matrix_mautrix_twitter_homeserver_token" + +- name: Fail if database is not defined + fail: + msg: >- + You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_twitter_database_engine" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 new file mode 100644 index 00000000..9bfa3123 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -0,0 +1,209 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_twitter_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_twitter_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + asmux: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_twitter_appservice_address }} + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29327 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_mautrix_twitter_appservice_database|to_json }} + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: twitter + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Twitter bridge bot + bot_avatar: mxc://maunium.net/HVHcnusJkQcpVcsVGZRELLCn + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + # + # Example: "+twitter:example.com". Set to false to disable. + community_id: false + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Bridge config +bridge: + # Localpart template of MXIDs for Twitter users. + # {userid} is replaced with the user ID of the Twitter user. + username_template: "twitter_{userid}" + # Displayname template for Twitter users. + # {displayname} is replaced with the display name of the Twitter user. + # {username} is replaced with the username of the Twitter user. + displayname_template: "{displayname} (Twitter)" + + # Maximum length of displayname + displayname_max_length: 100 + + # Number of conversations to sync (and create portals for) on login. + # Set 0 to disable automatic syncing. + initial_conversation_sync: 10 + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: {} + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Twitter. + # + # Missed message backfilling is currently based on receiving them from the Twitter polling API, + # rather than manually asking for messages in each conversation. Due to this, there's no way to + # set a limit for missed message backfilling. + backfill: + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: true + # End-to-bridge encryption support options. You must install the e2be optional dependency for + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Twitter. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Whether or not non-fatal polling errors should send notices to the notice room. + temporary_disconnect_notices: true + # Number of seconds to sleep more than the previous error when a polling error occurs. + # Growth is capped at 15 minutes. + error_sleep: 5 + # Maximum number of polling errors before giving up. Set to -1 to retry forever. + max_poll_errors: 12 + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tw" + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_twitter_homeserver_domain }}': user + + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_twitter.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 new file mode 100644 index 00000000..55509b85 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Twitter bridge +{% for service in matrix_mautrix_twitter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_twitter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_twitter_config_path }}:/config:z \ + -v {{ matrix_mautrix_twitter_data_path }}:/data:z \ + {% for arg in matrix_mautrix_twitter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_twitter_docker_image }} \ + python3 -m mautrix_twitter -c /config/config.yaml --no-update + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-twitter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 3d630fcf..aaa1f04a 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: latest +matrix_mautrix_whatsapp_version: v0.2.3 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" @@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot # # To use Postgres: # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables matrix_mautrix_whatsapp_database_engine: 'sqlite' matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 4a492492..77daa825 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsa {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index e947b9fe..cdf5c738 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' +matrix_mx_puppet_discord_bridge_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 7c23fc61..555db8e3 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -9,17 +9,25 @@ bridge: domain: {{ matrix_mx_puppet_discord_homeserver_domain }} # Reachable URL of the Matrix homeserver homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }} + # Optionally specify a different media URL used for the media store + # + # This is where Discord will download user profile pictures and media + # from + mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }} {% if matrix_mx_puppet_discord_login_shared_secret != '' %} loginSharedSecretMap: {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }} {% endif %} # Display name of the bridge bot displayname: Discord Puppet Bridge + + ##### this block is from my old config i hacked to work; trying it commented out, maybe they fixed it # Optionally specify a different media URL used for the media store # # This is where Discord will download user profile pictures and media # from - mediaUrl: {{ matrix_mx_puppet_discord_mediaurl }} + # mediaUrl: {{ matrix_mx_puppet_discord_mediaurl }} + # ########### end block presence: # Bridge Discord online/offline status diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 6ffb87cd..58b01e20 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-disc {% endfor %} {{ matrix_mx_puppet_discord_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 index dabafd18..7e008aeb 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-grou {% endfor %} {{ matrix_mx_puppet_groupme_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-groupme diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 965bb41c..b2921a4f 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-inst {% endfor %} {{ matrix_mx_puppet_instagram_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index 9a7986e4..4c604bb7 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skyp {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index f484c687..74ec0350 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 973771b3..f130c095 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slac {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 0772872b..c736b7ca 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-stea {% endfor %} {{ matrix_mx_puppet_steam_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 06cf83fa..2054d23c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 7e1b1c32..efa3e4e3 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twit {% endfor %} {{ matrix_mx_puppet_twitter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 46c3463f..404b5aab 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -35,8 +35,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endfor %} {{ matrix_sms_bridge_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-sms-bridge -ExecStop=-/usr/bin/docker rm matrix-sms-bridge +ExecStopPost=-/usr/bin/docker kill matrix-sms-bridge +ExecStopPost=-/usr/bin/docker rm matrix-sms-bridge Restart=always RestartSec=30 SyslogIdentifier=matrix-sms-bridge diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml new file mode 100644 index 00000000..21ce09d4 --- /dev/null +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -0,0 +1,54 @@ +matrix_client_cinny_enabled: true + +matrix_client_cinny_container_image_self_build: false +matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" + +matrix_client_cinny_version: v1.6.1 +matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" + +matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" +matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_cinny_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_cinny_container_extra_arguments: [] + +# List of systemd services that matrix-client-cinny.service depends on +matrix_client_cinny_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_cinny_self_check_validate_certificates: true + +# config.json +matrix_client_cinny_default_hs_url: "" + +# Default cinny configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for cinny should go to `matrix_client_cinny_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration_extension_json: '{}' + +matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json|from_json if matrix_client_cinny_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final cinny configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default|combine(matrix_client_cinny_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-cinny/tasks/init.yml b/roles/matrix-client-cinny/tasks/init.yml new file mode 100644 index 00000000..e6889e4d --- /dev/null +++ b/roles/matrix-client-cinny/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" + when: matrix_client_cinny_enabled|bool diff --git a/roles/matrix-client-cinny/tasks/main.yml b/roles/matrix-client-cinny/tasks/main.yml new file mode 100644 index 00000000..8a39c021 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_client_cinny_enabled|bool" + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny diff --git a/roles/matrix-client-cinny/tasks/self_check.yml b/roles/matrix-client-cinny/tasks/self_check.yml new file mode 100644 index 00000000..df1241a8 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + +- name: Check Cinny + uri: + url: "{{ matrix_client_cinny_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}" + register: matrix_client_cinny_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Cinny not working + fail: + msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" + +- name: Report working Cinny + debug: + msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/matrix-client-cinny/tasks/setup_install.yml b/roles/matrix-client-cinny/tasks/setup_install.yml new file mode 100644 index 00000000..5d92f1d3 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_install.yml @@ -0,0 +1,71 @@ +--- +- name: Ensure Cinny paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_cinny_data_path }}", when: true } + - { path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Cinny Docker image is pulled + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}" + when: "not matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny repository is present on self-build + git: + repo: "{{ matrix_client_cinny_container_image_self_build_repo }}" + dest: "{{ matrix_client_cinny_docker_src_files_path }}" + version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_cinny_git_pull_results + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny configuration installed + copy: + content: "{{ matrix_client_cinny_configuration|to_nice_json }}" + dest: "{{ matrix_client_cinny_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Cinny additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "item.src is not none" + +- name: Ensure Cinny Docker image is built + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: build + force_source: "{{ matrix_client_cinny_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_cinny_docker_src_files_path }}" + pull: yes + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure matrix-client-cinny.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + mode: 0644 + register: matrix_client_cinny_systemd_service_result + +- name: Ensure systemd reloaded after matrix-client-cinny.service installation + service: + daemon_reload: yes + when: "matrix_client_cinny_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/matrix-client-cinny/tasks/setup_uninstall.yml new file mode 100644 index 00000000..2a3bffb5 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- +- name: Check existence of matrix-client-cinny.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + register: matrix_client_cinny_service_stat + +- name: Ensure matrix-client-cinny is stopped + service: + name: matrix-client-cinny + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure matrix-client-cinny.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + state: absent + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-client-cinny.service removal + service: + daemon_reload: yes + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure Cinny paths doesn't exist + file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent + +- name: Ensure Cinny Docker image doesn't exist + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + state: absent diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml new file mode 100644 index 00000000..d8e804c5 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- +- name: Fail if required Cinny settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Cinny. + when: "vars[item] == '' or vars[item] is none" + with_items: + - "matrix_client_cinny_default_hs_url" diff --git a/roles/matrix-client-cinny/templates/config.json.j2 b/roles/matrix-client-cinny/templates/config.json.j2 new file mode 100644 index 00000000..9731a372 --- /dev/null +++ b/roles/matrix-client-cinny/templates/config.json.j2 @@ -0,0 +1,6 @@ +{ + "defaultHomeserver": 0, + "homeserverList": [ + {{ matrix_client_cinny_default_hs_url|string|to_json }} + ] +} diff --git a/roles/matrix-client-cinny/templates/nginx.conf.j2 b/roles/matrix-client-cinny/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-cinny/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 new file mode 100644 index 00000000..aa5a0432 --- /dev/null +++ b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Cinny Client +{% for service in matrix_client_cinny_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-cinny \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_cinny_container_http_host_bind_port %} + -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_cinny_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_cinny_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-cinny + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b05f0d85..15f401dd 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.5 +matrix_client_element_version: v1.9.9 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index fe2a3a86..d4ad2b9e 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element {% endfor %} {{ matrix_client_element_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 3cfb2337..61db1ba2 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,9 +5,9 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.19 +matrix_client_hydrogen_version: v0.2.23 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" diff --git a/roles/matrix-client-hydrogen/tasks/setup_install.yml b/roles/matrix-client-hydrogen/tasks/setup_install.yml index b512a1a8..2f949927 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure Hydrogen configuration installed copy: content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/src/platform/web/assets/config.json" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index c85aeb97..7a72e876 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endfor %} {{ matrix_client_hydrogen_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 4fbd5e55..9c472ca3 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,11 +1,11 @@ --- -- name: Create user account @janitor +- name: Create user account @admin-janitor command: | - /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool - no_log: True + no_log: false - name: Update AWX janitor user created variable delegate_to: 127.0.0.1 @@ -18,12 +18,12 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @dimension +- name: Create user account @admin-dimension command: | - /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 @@ -36,12 +36,12 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @mjolnir +- name: Create user account @admin-mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index dfc71479..aede4d50 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.2.1 +matrix_corporal_version: 2.2.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 262e2e77..9c42f2b1 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b845e9ee..4d7ccf6b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2-r4 +matrix_coturn_version: 4.5.2-r8 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index a39030af..778f8185 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml new file mode 100644 index 00000000..23789540 --- /dev/null +++ b/roles/matrix-dendrite/defaults/main.yml @@ -0,0 +1,174 @@ +# Dendrite is a second-generation Matrix homeserver currently in Beta +# See: https://github.com/matrix-org/dendrite + +matrix_dendrite_enabled: true + +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "docker.io/" +matrix_dendrite_docker_image_tag: "v0.5.1" +matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" + +matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" +matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" +matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" +matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" +matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" + +# By default, we make Dendrite only serve HTTP (not HTTPS). +# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). +# +# To enable HTTPS serving by Dendrite (directly): +# - `matrix_dendrite_https_bind_port` must be set +# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments` +# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes` +matrix_dendrite_http_bind_port: 8008 +matrix_dendrite_https_bind_port: ~ + +# This is passed as an `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port|string) if matrix_dendrite_http_bind_port else '' }}" + +# This is passed as an `-https-bind-address` flag to the Dendrite server in the container +matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port|string) if matrix_dendrite_https_bind_port else '' }}" + +# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_dendrite_container_http_host_bind_address: "" + +# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. +matrix_dendrite_container_https_host_bind_address: "" + +# A list of extra arguments to pass to the container (`docker run` command) +matrix_dendrite_container_extra_arguments: [] + +# A list of extra arguments to pass to the container process (`dendrite-monolith` command) +# Example: +# matrix_dendrite_process_extra_arguments: +# - "-tls-cert /some/path.crt" +# - "-tls-key /some/path.pem" +matrix_dendrite_process_extra_arguments: [] + +# List of systemd services that matrix-dendrite.service depends on +matrix_dendrite_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-dendrite.service wants +matrix_dendrite_systemd_wanted_services_list: [] + +# Specifies which template files to use when configuring Dendrite. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" +matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" + +matrix_dendrite_registration_shared_secret: '' +matrix_dendrite_allow_guest_access: false + +matrix_dendrite_max_file_size_bytes: 10485760 + +# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. +# This is likely required if Dendrite is running behind a reverse proxy server. +matrix_dendrite_sync_api_real_ip_header: '' + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_dendrite_tmp_directory_size_mb: 500 + +# Rate limits +matrix_dendrite_rate_limiting_enabled: true +matrix_dendrite_rate_limiting_threshold: 5 +matrix_dendrite_rate_limiting_cooloff_ms: 500 + +# Controls whether people with access to the homeserver can register by themselves. +matrix_dendrite_registration_disabled: false + +# reCAPTCHA API for validating registration attempts +matrix_dendrite_enable_registration_captcha: false +matrix_dendrite_recaptcha_public_key: "" +matrix_dendrite_recaptcha_private_key: "" + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# +# Note: internally, this uses the `-v` flag for mounting the specified volumes. +# It's better (safer) to use the `--mount` flag for mounting volumes. +# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`. +# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] +matrix_dendrite_container_additional_volumes: [] + +# A list of appservice config files (in-container filesystem paths). +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`. +matrix_dendrite_app_service_config_files: [] + +# Enable exposure of metrics +matrix_dendrite_metrics_enabled: false +matrix_dendrite_metrics_username: "metrics" +matrix_dendrite_metrics_password: "metrics" + +# Postgres database information +matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" +matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_user: "dendrite" +matrix_dendrite_database_password: "itsasecret" +matrix_dendrite_naffka_database: "dendrite_naffka" +matrix_dendrite_appservice_database: "dendrite_appservice" +matrix_dendrite_federationsender_database: "dendrite_federationsender" +matrix_dendrite_keyserver_database: "dendrite_keyserver" +matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_room_database: "dendrite_room" +matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" +matrix_dendrite_syncapi_database: "dendrite_syncapi" +matrix_dendrite_account_database: "dendrite_account" +matrix_dendrite_device_database: "dendrite_device" +matrix_dendrite_mscs_database: "dendrite_mscs" + +matrix_dendrite_turn_uris: [] +matrix_dendrite_turn_shared_secret: "" +matrix_dendrite_turn_allow_guests: False + +# Controls whether the self-check feature should validate TLS certificates. +matrix_dendrite_disable_tls_validation: false + +matrix_dendrite_trusted_id_servers: + - "matrix.org" + - "vector.im" + +# Controls whether Dendrite will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_dendrite_federation_enabled: true + +# Controls whether the self-check feature should validate SSL certificates. +matrix_dendrite_self_check_validate_certificates: true + +# Default Dendrite configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}" + +matrix_dendrite_configuration_extension_yaml: | + # Your custom YAML configuration for Dendrite goes here. + # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_dendrite_configuration_yaml`. + # + # Example configuration extension follows: + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + +matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final Dendrite configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. +matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup.yml b/roles/matrix-dendrite/tasks/dendrite/setup.yml new file mode 100644 index 00000000..8b669193 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" + when: matrix_dendrite_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" + when: "not matrix_dendrite_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml new file mode 100644 index 00000000..3e3b2199 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -0,0 +1,77 @@ +--- +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Dendrite media store path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Dendrite media store path exists + file: + path: "{{ matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Dendrite Docker image is pulled + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + +- name: Check if a Dendrite signing key exists + stat: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + register: matrix_dendrite_signing_key_stat + +# We do this so that the signing key would get generated. +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate Dendrite signing key + command: | + docker run + --rm + --name=matrix-dendrite-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + when: "not matrix_dendrite_signing_key_stat.stat.exists" + +- name: Ensure Dendrite server key exists + file: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite configuration installed + copy: + content: "{{ matrix_dendrite_configuration|to_nice_yaml }}" + dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dendrite.service installed + template: + src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-dendrite.service" + mode: 0644 + register: matrix_dendrite_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dendrite.service installation + service: + daemon_reload: yes + when: "matrix_dendrite_systemd_service_result.changed|bool" + +- name: Ensure matrix-dendrite-create-account script created + template: + src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" + dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" + mode: 0750 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml new file mode 100644 index 00000000..7e953365 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml @@ -0,0 +1,28 @@ +- name: Check existence of matrix-dendrite service + stat: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure matrix-dendrite.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + state: absent + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dendrite.service removal + service: + daemon_reload: yes + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure Dendrite Docker image doesn't exist + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml new file mode 100644 index 00000000..2e2e551a --- /dev/null +++ b/roles/matrix-dendrite/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" + when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml new file mode 100644 index 00000000..815135d7 --- /dev/null +++ b/roles/matrix-dendrite/tasks/main.yml @@ -0,0 +1,40 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_dendrite_register_user|bool and matrix_dendrite_enabled|bool + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool and matrix_dendrite_enabled|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool and matrix_dendrite_enabled|bool + tags: + - self-check + +- name: Mark matrix-dendrite role as executed + set_fact: + matrix_dendrite_role_executed: true + tags: + - always diff --git a/roles/matrix-dendrite/tasks/register_user.yml b/roles/matrix-dendrite/tasks/register_user.yml new file mode 100644 index 00000000..099d57e9 --- /dev/null +++ b/roles/matrix-dendrite/tasks/register_user.yml @@ -0,0 +1,25 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Wait a while, so that Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed" + +- name: Register user + command: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username|quote }} {{ password|quote }}" diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml new file mode 100644 index 00000000..7c2f6b5e --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -0,0 +1,18 @@ +--- +- name: Check Matrix Client API + uri: + url: "{{ matrix_dendrite_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_client_api + ignore_errors: true + check_mode: no + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" + when: "(result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml new file mode 100644 index 00000000..a7c60a67 --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -0,0 +1,24 @@ +--- +- name: Check Matrix Federation API + uri: + url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_federation_api + ignore_errors: true + check_mode: no + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" + when: "matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." + when: "not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" + when: "matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml new file mode 100644 index 00000000..04c3a7fe --- /dev/null +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -0,0 +1,14 @@ +--- +- name: Ensure Dendrite paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } + - { path: "{{ matrix_dendrite_ext_path }}", when: true } + when: "matrix_dendrite_enabled|bool and item.when" + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml new file mode 100644 index 00000000..2d2cf4c5 --- /dev/null +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -0,0 +1,16 @@ +--- +- name: Fail if required Dendrite settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Dendrite. + when: "vars[item] == ''" + with_items: + - "matrix_dendrite_registration_shared_secret" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: [] diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 new file mode 100644 index 00000000..102dd2f5 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -0,0 +1,390 @@ +# This is the Dendrite configuration file. +# +# The configuration is split up into sections - each Dendrite component has a +# configuration section, in addition to the "global" section which applies to +# all components. +# +# At a minimum, to get started, you will need to update the settings in the +# "global" section for your deployment, and you will need to check that the +# database "connection_string" line in each component section is correct. +# +# Each component with a "database" section can accept the following formats +# for "connection_string": +# SQLite: file:filename.db +# file:///path/to/filename.db +# PostgreSQL: postgresql://user:pass@hostname/database?params=... +# +# SQLite is embedded into Dendrite and therefore no further prerequisites are +# needed for the database when using SQLite mode. However, performance with +# PostgreSQL is significantly better and recommended for multi-user deployments. +# SQLite is typically around 20-30% slower than PostgreSQL when tested with a +# small number of users and likely will perform worse still with a higher volume +# of users. +# +# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# number of open/idle database connections. The value 0 will use the database +# engine default, and a negative value will use unlimited connections. The +# "conn_max_lifetime" option controls the maximum length of time a database +# connection can be idle in seconds - a negative value is unlimited. + +# The version of the configuration file. +version: 1 + +# Global Matrix configuration. This configuration applies to all components. +global: + # The domain name of this homeserver. + server_name: {{ matrix_domain|to_json }} + + # The path to the signing private key file, used to sign requests and events. + # Note that this is NOT the same private key as used for TLS! To generate a + # signing key, use "./bin/generate-keys --private-key matrix_key.pem". + private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" + + # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) + # to old signing private keys that were formerly in use on this domain. These + # keys will not be used for federation request or event signing, but will be + # provided to any other homeserver that asks when trying to verify old events. + # old_private_keys: + # - private_key: old_matrix_key.pem + # expired_at: 1601024554498 + + # How long a remote server can cache our server signing key before requesting it + # again. Increasing this number will reduce the number of requests made by other + # servers for our key but increases the period that a compromised key will be + # considered valid by other homeservers. + key_validity_period: 168h0m0s + + # The server name to delegate server-server communications to, with optional port + # e.g. localhost:443 + well_known_server_name: "" + + # Lists of domains that the server will trust as identity servers to verify third + # party identifiers such as phone numbers and email addresses. + trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + + # Disables federation. Dendrite will not be able to make any outbound HTTP requests + # to other servers and the federation API will not be exposed. + disable_federation: {{ (not matrix_dendrite_federation_enabled)|to_json }} + + # Configuration for Kafka/Naffka. + kafka: + # List of Kafka broker addresses to connect to. This is not needed if using + # Naffka in monolith mode. + addresses: [] + + # The prefix to use for Kafka topic names for this homeserver. Change this only if + # you are running more than one Dendrite homeserver on the same Kafka deployment. + topic_prefix: Dendrite + + # Whether to use Naffka instead of Kafka. This is only available in monolith + # mode, but means that you can run a single-process server without requiring + # Kafka. + use_naffka: true + + # The max size a Kafka message is allowed to use. + # You only need to change this value, if you encounter issues with too large messages. + # Must be less than/equal to "max.message.bytes" configured in Kafka. + # Defaults to 8388608 bytes. + # max_message_bytes: 8388608 + + # Naffka database options. Not required when using Kafka. + naffka_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Configuration for Prometheus metric collection. + metrics: + # Whether or not Prometheus metrics are enabled. + enabled: {{ matrix_dendrite_metrics_enabled|to_json }} + + # HTTP basic authentication to protect access to monitoring. + basic_auth: + username: {{ matrix_dendrite_metrics_username|to_json }} + password: {{ matrix_dendrite_metrics_password|to_json }} + + # DNS cache options. The DNS cache may reduce the load on DNS servers + # if there is no local caching resolver available for use. + dns_cache: + # Whether or not the DNS cache is enabled. + enabled: false + + # Maximum number of entries to hold in the DNS cache, and + # for how long those items should be considered valid in seconds. + cache_size: 256 + cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more + +# Configuration for the Appservice API. +app_service_api: + internal_api: + listen: http://0.0.0.0:7777 + connect: http://appservice_api:7777 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Disable the validation of TLS certificates of appservices. This is + # not recommended in production since it may allow appservice traffic + # to be sent to an unverified endpoint. + disable_tls_validation: false + + # Appservice configuration files to load into this homeserver. + config_files: {{ matrix_dendrite_app_service_config_files|to_json }} + +# Configuration for the Client API. +client_api: + internal_api: + listen: http://0.0.0.0:7771 + connect: http://client_api:7771 + external_api: + listen: http://0.0.0.0:8071 + + # Prevents new users from being able to register on this homeserver, except when + # using the registration shared secret below. + registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + + # If set, allows registration by anyone who knows the shared secret, regardless of + # whether registration is otherwise disabled. + registration_shared_secret: {{ matrix_dendrite_registration_shared_secret|string|to_json }} + + # Whether to require reCAPTCHA for registration. + enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + + # Settings for ReCAPTCHA. + recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} + recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_bypass_secret: "" + recaptcha_siteverify_api: "" + + # TURN server information that this homeserver should send to clients. + turn: + turn_user_lifetime: "" + turn_uris: {{ matrix_dendrite_turn_uris|to_json }} + turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_username: "" + turn_password: "" + + # Settings for rate-limited endpoints. Rate limiting will kick in after the + # threshold number of "slots" have been taken by requests from a specific + # host. Each "slot" will be released after the cooloff time in milliseconds. + rate_limiting: + enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} + threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} + cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + +# Configuration for the EDU server. +edu_server: + internal_api: + listen: http://0.0.0.0:7778 + connect: http://edu_server:7778 + +# Configuration for the Federation API. +federation_api: + internal_api: + listen: http://0.0.0.0:7772 + connect: http://federation_api:7772 + external_api: + listen: http://0.0.0.0:8072 + + # List of paths to X.509 certificates to be used by the external federation listeners. + # These certificates will be used to calculate the TLS fingerprints and other servers + # will expect the certificate to match these fingerprints. Certificates must be in PEM + # format. + federation_certificates: [] + +# Configuration for the Federation Sender. +federation_sender: + internal_api: + listen: http://0.0.0.0:7775 + connect: http://federation_sender:7775 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationsender_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # How many times we will try to resend a failed transaction to a specific server. The + # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. + send_max_retries: 16 + + # Disable the validation of TLS certificates of remote federated homeservers. Do not + # enable this option in production as it presents a security risk! + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }} + + # Use the following proxy server for outbound federation traffic. + proxy_outbound: + enabled: false + protocol: http + host: localhost + port: 8080 + +# Configuration for the Key Server (for end-to-end encryption). +key_server: + internal_api: + listen: http://0.0.0.0:7779 + connect: http://key_server:7779 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Media API. +media_api: + internal_api: + listen: http://0.0.0.0:7774 + connect: http://media_api:7774 + external_api: + listen: http://0.0.0.0:8074 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Storage path for uploaded media. May be relative or absolute. + base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" + + # The maximum allowed file size (in bytes) for media uploads to this homeserver + # (0 = unlimited). If using a reverse proxy, ensure it allows requests at + # least this large (e.g. client_max_body_size in nginx.) + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} + + # Whether to dynamically generate thumbnails if needed. + dynamic_thumbnails: false + + # The maximum number of simultaneous thumbnail generators to run. + max_thumbnail_generators: 10 + + # A list of thumbnail sizes to be generated for media content. + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale + +# Configuration for experimental MSC's +mscs: + # A list of enabled MSC's + # Currently valid values are: + # - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836) + # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946) + mscs: [] + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable + max_open_conns: 5 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Room Server. +room_server: + internal_api: + listen: http://0.0.0.0:7770 + connect: http://room_server:7770 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Signing Key Server (for server signing keys). +signing_key_server: + internal_api: + listen: http://0.0.0.0:7780 + connect: http://signing_key_server:7780 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_singingkeyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Perspective keyservers to use as a backup when direct key fetches fail. This may + # be required to satisfy key requests for servers that are no longer online when + # joining some rooms. + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ + + # This option will control whether Dendrite will prefer to look up keys directly + # or whether it should try perspective servers first, using direct fetches as a + # last resort. + prefer_direct_fetch: false + +# Configuration for the Sync API. +sync_api: + internal_api: + listen: http://0.0.0.0:7773 + connect: http://sync_api:7773 + external_api: + listen: http://0.0.0.0:8073 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # This option controls which HTTP header to inspect to find the real remote IP + # address of the client. This is likely required if Dendrite is running behind + # a reverse proxy server. + # real_ip_header: X-Real-IP + real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }} + +# Configuration for the User API. +user_api: + # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31 + # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information. + # Setting this lower makes registration/login consume less CPU resources at the cost of security + # should the database be compromised. Setting this higher makes registration/login consume more + # CPU resources but makes it harder to brute force password hashes. + # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds) + # bcrypt_cost: 10 + internal_api: + listen: http://0.0.0.0:7781 + connect: http://user_api:7781 + account_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_account_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + device_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_device_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + # The length of time that a token issued for a relying party from + # /_matrix/client/r0/user/{userId}/openid/request_token endpoint + # is considered to be valid in milliseconds. + # The default lifetime is 3600000ms (60 minutes). + # openid_token_lifetime_ms: 3600000 + +# Configuration for Opentracing. +# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on +# how this works and how to set it up. +tracing: + enabled: false + jaeger: + serviceName: "" + disabled: false + rpc_metrics: false + tags: [] + sampler: null + reporter: null + headers: null + baggage_restrictions: null + throttler: null + +# Logging configuration, in addition to the standard logging that is sent to +# stdout by Dendrite. +logging: [] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 new file mode 100644 index 00000000..7592fca8 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -0,0 +1,64 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Dendrite server +{% for service in matrix_dendrite_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dendrite_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' + +{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its matrix-postgres dependency. +# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). +ExecStartPre={{ matrix_host_command_sleep }} 5 +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} + -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ + {% endif %} + {% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %} + -p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \ + {% endif %} + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + {% for volume in matrix_dendrite_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_dendrite_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dendrite_docker_image }} \ + -config /data/dendrite.yaml \ + {% if matrix_dendrite_http_bind_address %} + -http-bind-address {{ matrix_dendrite_http_bind_address }} + {% endif %} + {% if matrix_dendrite_https_bind_address %} + -https-bind-address {{ matrix_dendrite_https_bind_address }} + {% endif %} + {{ matrix_dendrite_process_extra_arguments|join(' ') }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dendrite + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 new file mode 100644 index 00000000..5332b964 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 + +docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" diff --git a/roles/matrix-dendrite/vars/main.yml b/roles/matrix-dendrite/vars/main.yml new file mode 100644 index 00000000..60d5f4eb --- /dev/null +++ b/roles/matrix-dendrite/vars/main.yml @@ -0,0 +1,11 @@ +--- +matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_dendrite_role_executed: false + +matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path|dirname }}" +matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path|basename }}" + +matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key|basename }}" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a6..1ca5f5b8 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -10,10 +10,16 @@ matrix_dimension_admins: [] # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates matrix_dimension_widgets_allow_self_signed_ssl_certificates: false +matrix_dimension_container_image_self_build: false +matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git" +matrix_dimension_container_image_self_build_branch: master + matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" +matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. @@ -48,7 +54,7 @@ matrix_dimension_homeserver_federationUrl: "" # # To use Postgres: # - change the engine (`matrix_dimension_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_dimension_postgres_*` variables +# - adjust your database credentials via the `matrix_dimension_database_*` variables matrix_dimension_database_engine: 'sqlite' matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db" diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 804be88d..c75fc0b9 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -90,6 +90,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" + when: "not matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_pull_results + +- name: Ensure dimension repository is present on self-build + git: + repo: "{{ matrix_dimension_container_image_self_build_repo }}" + dest: "{{ matrix_dimension_docker_src_files_path }}" + version: "{{ matrix_dimension_container_image_self_build_branch }}" + force: "yes" + when: "matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_git_pull_results + +- name: Ensure Dimension Docker image is built + docker_image: + name: "{{ matrix_dimension_docker_image }}" + source: build + force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_dimension_docker_src_files_path }}" + pull: yes + when: "matrix_dimension_container_image_self_build|bool" - name: Ensure matrix-dimension.service installed template: diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index e27a5558..0451231b 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 3411d0f8..2be1a5ba 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -4,7 +4,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.9.1-ls45 +matrix_dynamic_dns_version: v3.9.1-ls76 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index dfdd2f72..31e106f0 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -26,8 +26,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ {% endfor %} {{ matrix_dynamic_dns_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dynamic-dns diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index c9226768..b620a13f 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 45f8f8b2..bcabc3dd 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_version: 1.8.12 +matrix_etherpad_version: 1.8.16 matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" @@ -41,6 +41,11 @@ matrix_etherpad_database_hostname: 'matrix-postgres' matrix_etherpad_database_port: 5432 matrix_etherpad_database_name: 'matrix_etherpad' +# If a admin username and password is set, the /admin web page will be +# available. +matrix_etherpad_admin_username: '' +matrix_etherpad_admin_password: '' + matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' # Variables configuring the etherpad diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 5b8f5ef6..c94e0817 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -8,7 +8,7 @@ msg: >- Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-etherpad role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 377bad98..0a240f3e 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -46,6 +46,8 @@ "maxHttpBufferSize": 10000 }, "loadTest": false, + "dumpOnUncleanExit": false, + "indentationOnNewLine": false, "importExportRateLimiting": { "windowMs": 90000, "max": 10 @@ -69,6 +71,14 @@ "chatAndUsers": false, "lang": "en-gb" }, +{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} + "users": { + {{ matrix_etherpad_admin_username|to_json }}: { + "password": {{ matrix_etherpad_admin_password|to_json }}, + "is_admin": true + } + }, +{% endif %} "padShortcutEnabled" : { "altF9": true, "altC": true, @@ -101,5 +111,6 @@ } ] }, - "customLocaleStrings": {} + "customLocaleStrings": {}, + "enableAdminUITests": false } diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index b579036b..e55c57c7 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -32,10 +32,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ node --experimental-worker src/node/server.js \ --settings /data/settings.json --credentials /data/credentials.json \ --sessionkey /data/sessionkey.json --apikey /data/apijey.json - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad + +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-etherpad Restart=always RestartSec=30 SyslogIdentifier=matrix-etherpad diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8e4bd7bb..f802d2e5 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.2.2 +matrix_grafana_version: 8.3.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index a4f81e35..64d40a5c 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ {% endfor %} {{ matrix_grafana_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-grafana diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bef993e0..a36a09fc 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -8,11 +8,25 @@ matrix_jitsi_enable_recording: false matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true +matrix_jitsi_enable_breakout_rooms: true -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. +# Authentication type, must be one of internal, jwt or ldap. +# Currently only internal and ldap mechanisms are supported by this playbook. matrix_jitsi_auth_type: internal +# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. +# +# Accounts added here and subsquently removed will not be automatically removed +# from the Prosody server until user account cleaning is integrated into the playbook. +# +# Example: +# matrix_jitsi_prosody_auth_internal_accounts: +# - username: "jitsi-moderator" +# password: "secret-password" +# - username: "another-user" +# password: "another-password" +matrix_jitsi_prosody_auth_internal_accounts: [] + # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. # Defaults are taken from: @@ -54,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6173 +matrix_jitsi_version: stable-6726-2 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -63,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" +matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" @@ -93,37 +108,18 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] -# Some variables controlling the interface of Jitsi Web. -# These get applied to `templates/web/interface_config.js.j2`. -# -# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` -# to define any other configuration option. -matrix_jitsi_web_interface_config_lang_detection: false -matrix_jitsi_web_interface_config_show_jitsi_watermark: true -matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" -matrix_jitsi_web_interface_config_show_brand_watermark: false -matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true -matrix_jitsi_web_interface_config_display_welcome_page_content: true -matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_show_powered_by: false -matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jitsi_web_interface_config_show_deep_linking_image: false - -# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. -# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. # # Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. # # For interface configuration, the flow is like this: -# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - a default `interface_config.js` is generated from within the docker image # - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. # # Example: # matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.LANG_DETECTION = false; +# interfaceConfig.SHOW_JITSI_WATERMARK = false; # interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; matrix_jitsi_web_custom_interface_config_extension: '' @@ -205,7 +201,6 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' - matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml index 408027ee..86e37212 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + # # Tasks related to setting up jitsi # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 39a571ae..c1c7c7fc 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -4,7 +4,7 @@ # Tasks related to setting up jitsi-prosody # -- name: Ensure Matrix jitsi-prosody path exists +- name: Ensure Matrix jitsi-prosody environment exists file: path: "{{ item.path }}" state: directory @@ -25,14 +25,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-prosody environment variables file created +- name: Ensure jitsi-prosody environment variables file is created template: src: "{{ role_path }}/templates/prosody/env.j2" dest: "{{ matrix_jitsi_prosody_base_path }}/env" mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service installed +- name: Ensure matrix-jitsi-prosody.service file is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -40,16 +40,24 @@ register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation +- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation service: daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" +- name: Ensure authentication is properly configured + include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: + - matrix_jitsi_enabled|bool + - matrix_jitsi_enable_auth|bool + + # # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Check existence of matrix-jitsi-prosody service +- name: Ensure matrix-jitsi-prosody.service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -64,13 +72,13 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody.service doesn't exist +- name: Ensure matrix-jitsi-prosody.service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal +- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal service: daemon_reload: yes when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 4fdcc67b..bcb1b49e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -15,6 +15,7 @@ - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-web Docker image is pulled @@ -39,7 +40,7 @@ mode: 0644 with_items: - custom-config.js - - interface_config.js + - custom-interface_config.js when: matrix_jitsi_enabled|bool - name: Ensure matrix-jitsi-web.service installed diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml new file mode 100644 index 00000000..66fb7e5d --- /dev/null +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -0,0 +1,43 @@ +--- +# +# Start Necessary Services +# + +- name: Ensure matrix-jitsi-prosody container is running + systemd: + state: started + name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result + + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure Jitsi internal authentication users are configured + shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_auth_type == "internal" + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 + + +# +# Tasks related to configuring other Jitsi authentication mechanisms +# + + + +# +# Tasks related to cleaning after Jitsi authentication configuration +# + + +# +# Stop Necessary Services +# +- name: Ensure matrix-jitsi-prosody container is stopped if necessary + systemd: + state: stopped + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed|bool \ No newline at end of file diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index d2887b12..4defe986 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -3,14 +3,14 @@ - name: Fail if required Jitsi settings not defined fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: "vars[item] == ''" with_items: @@ -19,6 +19,20 @@ - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: Fail if a Jitsi internal authentication account is not defined + fail: + msg: >- + At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + when: + - matrix_jitsi_enable_auth|bool + - matrix_jitsi_auth_type == 'internal' + - matrix_jitsi_prosody_auth_internal_accounts|length == 0 + + - name: (Deprecation) Catch and report renamed settings fail: msg: >- @@ -40,3 +54,16 @@ - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} + - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': '/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 6edae6d4..41d343b3 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,9 +1,6 @@ +DOCKER_HOST_ADDRESS ENABLE_COLIBRI_WEBSOCKET ENABLE_OCTO -DOCKER_HOST_ADDRESS -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} @@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} -JVB_ENABLE_APIS -JVB_WS_DOMAIN -JVB_WS_SERVER_ID -PUBLIC_URL={{ matrix_jitsi_web_public_url }} JVB_OCTO_BIND_ADDRESS JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION +JVB_WS_DOMAIN +JVB_WS_SERVER_ID +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +SENTRY_DSN="${JVB_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE +COLIBRI_REST_ENABLED +SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 48c1e9fa..ff1d30a6 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,4 +1,10 @@ +{% raw %} +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -8,6 +14,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB .level=INFO org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE +io.sentry.jul.SentryHandler.level=WARNING # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2785795d..5be32210 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 70feda6e..941f2c25 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,44 +1,24 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} +DISABLE_POLLS ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} ENABLE_XMPP_WEBSOCKET -GLOBAL_MODULES GLOBAL_CONFIG -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= -XMPP_INTERNAL_MUC_MODULES= -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_CROSS_DOMAIN=true +GLOBAL_MODULES +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JICOFO_COMPONENT_SECRET JIGASI_XMPP_USER= JIGASI_XMPP_PASSWORD= -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JWT_APP_ID JWT_APP_SECRET JWT_ACCEPTED_ISSUERS @@ -48,6 +28,19 @@ JWT_ALLOW_EMPTY JWT_AUTH_TYPE JWT_TOKEN_AUTH_MODULE LOG_LEVEL +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} TURN_HOST={{ matrix_jitsi_turn_host }} @@ -55,3 +48,13 @@ TURNS_HOST={{ matrix_jitsi_turns_host }} TURN_PORT={{ matrix_jitsi_turn_port }} TURNS_PORT={{ matrix_jitsi_turns_port }} TZ={{ matrix_jitsi_timezone }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} +XMPP_MUC_MODULES= +XMPP_INTERNAL_MUC_MODULES= +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +XMPP_CROSS_DOMAIN=true diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 5a4a81e5..452ff954 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -28,8 +28,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 b/roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 new file mode 100644 index 00000000..0ad470fc --- /dev/null +++ b/roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 @@ -0,0 +1,3 @@ + +{{ matrix_jitsi_web_custom_interface_config_extension }} + diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 2ff6befc..ac15c087 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,16 +1,3 @@ -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FLOC=0 -ENABLE_LETSENCRYPT=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_HSTS=0 -ENABLE_XMPP_WEBSOCKET -DISABLE_HTTPS=0 -DISABLE_DEEP_LINKING -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TZ={{ matrix_jitsi_timezone }} AMPLITUDE_ID ANALYTICS_SCRIPT_URLS ANALYTICS_WHITELISTED_EVENTS @@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE DEPLOYMENTINFO_REGION DEPLOYMENTINFO_SHARD DEPLOYMENTINFO_USERREGION +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX DIALIN_NUMBERS_URL DIALOUT_AUTH_URL DIALOUT_CODES_URL +DISABLE_AUDIO_LEVELS +DISABLE_DEEP_LINKING +DISABLE_HTTPS=0 +DISABLE_POLLS +DISABLE_REACTIONS DROPBOX_APPKEY DROPBOX_REDIRECT_URI DYNAMIC_BRANDING_URL ENABLE_AUDIO_PROCESSING ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_CALENDAR +ENABLE_COLIBRI_WEBSOCKET ENABLE_FILE_RECORDING_SERVICE ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_FLOC=0 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +ENABLE_HSTS=0 +ENABLE_HTTP_REDIRECT=0 ENABLE_IPV6 +ENABLE_LETSENCRYPT=0 ENABLE_LIPSYNC ENABLE_NO_AUDIO_DETECTION -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} +ENABLE_NOISY_MIC_DETECTION ENABLE_PREJOIN_PAGE +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} ENABLE_WELCOME_PAGE ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} @@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS ENABLE_TALK_WHILE_MUTED ENABLE_TCC ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ENABLE_XMPP_WEBSOCKET ETHERPAD_PUBLIC_URL ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} GOOGLE_ANALYTICS_ID GOOGLE_API_APP_CLIENT_ID INVITE_SERVICE_URL JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 MATOMO_ENDPOINT MATOMO_SITE_ID MICROSOFT_API_APP_CLIENT_ID @@ -68,29 +73,38 @@ NGINX_RESOLVER NGINX_WORKER_PROCESSES NGINX_WORKER_CONNECTIONS PEOPLE_SEARCH_URL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_WITH_AUDIO_MUTED -START_SILENT -DISABLE_AUDIO_LEVELS -ENABLE_NOISY_MIC_DETECTION +START_AUDIO_ONLY START_BITRATE -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX +START_SILENT +START_WITH_AUDIO_MUTED START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} START_WITH_VIDEO_MUTED TESTING_CAP_SCREENSHARE_BITRATE TESTING_OCTO_PROBABILITY +TOKEN_AUTH_URL +TZ={{ matrix_jitsi_timezone }} +VIDEOQUALITY_BITRATE_H264_LOW +VIDEOQUALITY_BITRATE_H264_STANDARD +VIDEOQUALITY_BITRATE_H264_HIGH +VIDEOQUALITY_BITRATE_VP8_LOW +VIDEOQUALITY_BITRATE_VP8_STANDARD +VIDEOQUALITY_BITRATE_VP8_HIGH +VIDEOQUALITY_BITRATE_VP9_LOW +VIDEOQUALITY_BITRATE_VP9_STANDARD +VIDEOQUALITY_BITRATE_VP9_HIGH +VIDEOQUALITY_ENFORCE_PREFERRED_CODEC +VIDEOQUALITY_PREFERRED_CODEC XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -TOKEN_AUTH_URL {{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 deleted file mode 100644 index 08ac02fe..00000000 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ /dev/null @@ -1,295 +0,0 @@ -/* eslint-disable no-unused-vars, no-var, max-len */ -/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */ - -var interfaceConfig = { - APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, - AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', - AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', - - /** - * A UX mode where the last screen share participant is automatically - * pinned. Valid values are the string "remote-only" so remote participants - * get pinned but not local, otherwise any truthy value for all participants, - * and any falsy value to disable the feature. - * - * Note: this mode is experimental and subject to breakage. - */ - AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only', - BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, - - CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, - - DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', - DEFAULT_LOGO_URL: 'images/watermark.svg', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', - DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', - - DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - - DISABLE_FOCUS_INDICATOR: false, - - /** - * If true, notifications regarding joining/leaving are no longer displayed. - */ - DISABLE_JOIN_LEAVE_NOTIFICATIONS: false, - - /** - * If true, presence status: busy, calling, connected etc. is not displayed. - */ - DISABLE_PRESENCE_STATUS: false, - - /** - * Whether the ringing sound in the call/ring overlay is disabled. If - * {@code undefined}, defaults to {@code false}. - * - * @type {boolean} - */ - DISABLE_RINGING: false, - - /** - * Whether the speech to text transcription subtitles panel is disabled. - * If {@code undefined}, defaults to {@code false}. - * - * @type {boolean} - */ - DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, - - /** - * Whether or not the blurred video background for large video should be - * displayed on browsers that can support it. - */ - DISABLE_VIDEO_BACKGROUND: false, - - DISPLAY_WELCOME_FOOTER: true, - DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false, - DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, - DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false, - - ENABLE_DIAL_OUT: true, - - ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. - - FILM_STRIP_MAX_HEIGHT: 120, - - GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, - - /** - * Hide the logo on the deep linking pages. - */ - HIDE_DEEP_LINKING_LOGO: false, - - /** - * Hide the invite prompt in the header when alone in the meeting. - */ - HIDE_INVITE_MORE_HEADER: false, - - INITIAL_TOOLBAR_TIMEOUT: 20000, - JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, - - LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language - LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature. - LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 - - /** - * Maximum coefficient of the ratio of the large video to the visible area - * after the large video is scaled to fit the window. - * - * @type {number} - */ - MAXIMUM_ZOOMING_COEFFICIENT: 1.3, - - /** - * Whether the mobile app Jitsi Meet is to be promoted to participants - * attempting to join a conference in a mobile Web browser. If - * {@code undefined}, defaults to {@code true}. - * - * @type {boolean} - */ - MOBILE_APP_PROMO: true, - - /** - * Specify custom URL for downloading android mobile app. - */ - MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', - - /** - * Specify custom URL for downloading f droid app. - */ - MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/', - - /** - * Specify URL for downloading ios mobile app. - */ - MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', - - NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, - - // Names of browsers which should show a warning stating the current browser - // has a suboptimal experience. Browsers which are not listed as optimal or - // unsupported are considered suboptimal. Valid values are: - // chrome, chromium, edge, electron, firefox, nwjs, opera, safari - OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], - - POLICY_LOGO: null, - PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, - - /** - * If true, will display recent list - * - * @type {boolean} - */ - RECENT_LIST_ENABLED: true, - REMOTE_THUMBNAIL_RATIO: 1, // 1:1 - - SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], - SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, - - /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ - SHOW_CHROME_EXTENSION_BANNER: false, - - SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }}, - SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, - SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, - SHOW_PROMOTIONAL_CLOSE_PAGE: false, - - /* - * If indicated some of the error dialogs may point to the support URL for - * help. - */ - SUPPORT_URL: 'https://community.jitsi.org/', - - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * The name of the toolbar buttons to display in the toolbar, including the - * "More actions" menu. If present, the button will display. Exceptions are - * "livestreaming" and "recording" which also require being a moderator and - * some values in config.js to be enabled. Also, the "profile" button will - * not display for users with a JWT. - * Notes: - * - it's impossible to choose which buttons go in the "More actions" menu - * - it's impossible to control the placement of buttons - * - 'desktop' controls the "Share your screen" button - */ - TOOLBAR_BUTTONS: [ - {% if matrix_jitsi_enable_transcriptions %} - 'closedcaptions', - {% endif %} - {% if matrix_jitsi_enable_recording %} - 'recording', - {% endif %} - 'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen', - 'fodeviceselection', 'hangup', 'profile', 'chat', - 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', - 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - 'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security' - ], - - TOOLBAR_TIMEOUT: 4000, - - // Browsers, in addition to those which do not fully support WebRTC, that - // are not supported and should show the unsupported browser page. - UNSUPPORTED_BROWSERS: [], - - /** - * Whether to show thumbnails in filmstrip as a column instead of as a row. - */ - VERTICAL_FILMSTRIP: true, - - // Determines how the video would fit the screen. 'both' would fit the whole - // screen, 'height' would fit the original video height to the height of the - // screen, 'width' would fit the original video width to the width of the - // screen respecting ratio. - VIDEO_LAYOUT_FIT: 'both', - - /** - * If true, hides the video quality label indicating the resolution status - * of the current large video. - * - * @type {boolean} - */ - VIDEO_QUALITY_LABEL_DISABLED: false, - - /** - * How many columns the tile view can expand to. The respected range is - * between 1 and 5. - */ - // TILE_VIEW_MAX_COLUMNS: 5, - - /** - * Specify Firebase dynamic link properties for the mobile apps. - */ - // MOBILE_DYNAMIC_LINK: { - // APN: 'org.jitsi.meet', - // APP_CODE: 'w2atb', - // CUSTOM_DOMAIN: undefined, - // IBI: 'com.atlassian.JitsiMeet.ios', - // ISI: '1165103905' - // }, - - /** - * Specify mobile app scheme for opening the app from the mobile browser. - */ - // APP_SCHEME: 'org.jitsi.meet', - - /** - * Specify the Android app package name. - */ - // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - - // List of undocumented settings - /** - INDICATOR_FONT_SIZES - PHONE_NUMBER_REGEX - */ - - // Allow all above example options to include a trailing comma and - // prevent fear when commenting out the last value. - // eslint-disable-next-line sort-keys - makeJsonParserHappy: 'even if last key had a trailing comma' - - // No configuration value should follow this line. -}; - - -{{ matrix_jitsi_web_custom_interface_config_extension }} - - -/* eslint-enable no-unused-vars, no-var, max-len */ diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 5d386361..ff577670 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -23,13 +23,14 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endif %} --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ + --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ {% for arg in matrix_jitsi_web_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 6929f5cd..f0e96eff 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false # # To use Postgres: # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +# - adjust your database credentials via the `matrix_ma1sd_database_*` variables matrix_ma1sd_database_engine: 'sqlite' matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 8e5cc6dd..c3d5850f 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index e60ea50f..f006568f 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-5 +matrix_mailer_version: 4.95-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index bf5a2e42..ee316469 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -27,8 +27,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5a4a873c..6932c8c0 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.4-alpine +matrix_nginx_proxy_version: 1.21.5-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -19,6 +19,15 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-nginx-proxy would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_nginx_proxy_container_additional_networks: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. @@ -111,14 +120,31 @@ matrix_nginx_proxy_access_log_enabled: true matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" -# Controls whether proxying the Synapse domain should be done. +# Controls whether proxying for Synapse should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" - +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# Controls whether proxying for Dendrite should be done. +matrix_nginx_proxy_proxy_dendrite_enabled: false +matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. +# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too. +matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true +# The addresses where the Matrix Client API is, when using Dendrite. +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf). +matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: [] # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false @@ -128,6 +154,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +# Controls whether proxying the Cinny domain should be done. +matrix_nginx_proxy_proxy_cinny_enabled: false +matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -196,10 +226,6 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" -# The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" - # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 @@ -264,18 +290,18 @@ matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). -matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] - # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). +matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] @@ -382,6 +408,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" +# Specifies what to use for the X-Forwarded-For variable. +# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, +# you may wish to set this to '$proxy_add_x_forwarded_for' instead. +matrix_nginx_proxy_x_forwarded_for: '$remote_addr' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true @@ -437,8 +468,15 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. +# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" + +# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server +matrix_ssl_lets_encrypt_server: '' + +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.22.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ @@ -517,5 +555,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: [] # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index d325d2f0..e5021468 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -67,6 +67,19 @@ state: absent when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_dendrite_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for Element domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" @@ -88,6 +101,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_cinny_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -227,6 +247,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 4639f122..e820b0ed 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -21,7 +21,7 @@ - name: Wait some time, so that the required service for obtaining can start wait_for: - timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}" when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" @@ -42,6 +42,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http @@ -70,6 +71,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 8fa316da..47ec40aa 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -1,28 +1,7 @@ --- -- name: Ensure OpenSSL installed (RedHat) - yum: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'" - -- name: Ensure APT usage dependencies are installed (Debian) - apt: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - -- name: Ensure OpenSSL installed (Archlinux) - pacman: - name: - - openssl - state: latest - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'" +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + when: "matrix_ssl_retrieval_method == 'self-signed'" - name: Generate self-signed certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index aea17cc0..ff7fa2d8 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -37,6 +37,13 @@ -keyout {{ matrix_ssl_certificate_cert_key_path }} \ -out {{ matrix_ssl_certificate_cert_path }} \ -days 3650 - become: true - become_user: "{{ matrix_user_username }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + +- name: Adjust SSL certificate file ownership + file: + path: "{{ item }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_ssl_certificate_cert_key_path }}" + - "{{ matrix_ssl_certificate_cert_path }}" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 79269f43..e5589f55 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -27,7 +27,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 new file mode 100644 index 00000000..df66349f --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-cinny:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 095d5fcf..dea91b21 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -35,7 +35,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index c0794205..e9428c55 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -33,7 +33,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 new file mode 100644 index 00000000..939156a3 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -0,0 +1,77 @@ +#jinja2: lstrip_blocks: "True" + +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% for configuration_block in matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %} + location /_matrix/federation { + {% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} + return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}'; + {% else %} + return 404 'This Matrix server is running with federation disabled'; + {% endif %} + } + {% endif %} + + {# Everything else just goes to the API server ##} + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} +server { + listen 12088; + + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 292cc4c2..07347be6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 02201b9c..4abcd40a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,7 +58,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -76,7 +76,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -94,7 +94,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endif %} @@ -111,7 +111,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -136,7 +136,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; @@ -284,7 +284,7 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 209c1cd0..def67f66 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -37,7 +37,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 7fccce94..54b8ea43 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } # colibri (JVB) websockets @@ -45,7 +45,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -70,7 +70,7 @@ proxy_read_timeout 900s; proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ba442b37..0f33c0a7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -28,7 +28,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index c4000fa9..03bc32af 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,8 +47,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' +{% for network in matrix_nginx_proxy_container_additional_networks %} +ExecStartPost={{ matrix_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ matrix_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +{% endfor %} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index e1f252fe..efce3656 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 index 97c9ae7f..52e12edb 100644 --- a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backu --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ {{ matrix_postgres_backup_docker_image_to_use }} -ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres-backup diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index d62a689a..5ef3646d 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ matrix_postgres_docker_image_to_use }} \ postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 481864d3..2ec0d23c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.2.2 +matrix_prometheus_node_exporter_version: v1.3.1 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 210a0d97..0139b916 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {{ matrix_prometheus_node_exporter_docker_image }} \ --path.rootfs=/host -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-node-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml index 0857d3e7..338f58d3 100644 --- a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_version: v0.10.0 +matrix_prometheus_postgres_exporter_version: v0.10.1 matrix_prometheus_postgres_exporter_port: 9187 matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 index b25cb5de..4c9a4eda 100644 --- a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -30,10 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-pos -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ {% endif %} --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} + {{ matrix_prometheus_postgres_exporter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1cbeed8b..d76ce744 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.30.3 +matrix_prometheus_version: v2.31.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index ad75d664..2070ece3 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ {% endfor %} {{ matrix_prometheus_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 409c7926..355679d0 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.2.4-alpine +matrix_redis_version: 6.2.6-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 5f6699f8..9f9d2902 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {{ matrix_redis_docker_image_to_use }} \ redis-server /usr/local/etc/redis/redis.conf -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis +ExecStopPost=-/usr/bin/docker stop matrix-redis +ExecStopPost=-/usr/bin/docker rm matrix-redis Restart=always RestartSec=30 SyslogIdentifier=matrix-redis diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index e03891b2..4705fb5e 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: '' # # To use Postgres: # - change the engine (`matrix_registration_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_registration_postgres_*` variables +# - adjust your database credentials via the `matrix_registration_database_*` variables matrix_registration_database_engine: 'sqlite' matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 5ab93910..47220103 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-registration role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index e73e3e5f..8de331bf 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {{ matrix_registration_docker_image }} \ serve -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-registration diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 70d530f8..595f8022 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -7,7 +7,7 @@ matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.10.1 +matrix_sygnal_version: v0.11.0 matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 019ab40c..84c6f6ea 100644 --- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ {% endfor %} {{ matrix_sygnal_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 069b6279..db1024fa 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -3,14 +3,14 @@ matrix_synapse_admin_enabled: true -matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +matrix_synapse_admin_container_image_self_build: false +matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.1 +matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index e1912871..3ce5a693 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" @@ -15,7 +15,7 @@ msg: >- Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index d54583af..9eac7f90 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -10,16 +10,16 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin repository is present when self-building git: - repo: "{{ matrix_synapse_admin_container_self_build_repo }}" + repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" force: "yes" register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin Docker image is built docker_image: @@ -31,7 +31,7 @@ dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin.service installed template: diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index e08680e0..20a5c170 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,3 +8,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} + - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 4823d89c..28fe08aa 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin {% endfor %} {{ matrix_synapse_admin_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index dc8a9eb0..084d821f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.0 -matrix_synapse_version_arm64: v1.47.0 +matrix_synapse_version: v1.50.2 +matrix_synapse_version_arm64: v1.50.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true # URLs shared by users. matrix_synapse_url_preview_enabled: true +# A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation +matrix_url_preview_accept_language: ['en-US', 'en'] + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md matrix_synapse_metrics_enabled: false @@ -514,7 +517,7 @@ matrix_synapse_ext_password_provider_ldap_default_domain: "" # See: https://github.com/t2bot/synapse-simple-antispam matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" -matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" +matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "5ab711971e3a4541a7a40310ff85e17f8262cc05" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] # Enable this to activate the Mjolnir Antispam spam-checker module. @@ -577,6 +580,10 @@ matrix_synapse_default_room_version: "6" # If not, you can also control its value manually. matrix_synapse_spam_checker: [] +matrix_synapse_modules: [] + +matrix_synapse_encryption_enabled_by_default_for_room_type: off + matrix_synapse_trusted_key_servers: - server_name: "matrix.org" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 2599e7f1..706cc588 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -38,8 +38,8 @@ become_user: "{{ matrix_user_username }}" - set_fact: - matrix_synapse_spam_checker: > - {{ matrix_synapse_spam_checker }} + matrix_synapse_modules: > + {{ matrix_synapse_modules }} + [{ "module": "synapse_simple_antispam.AntiSpamInvites", diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index b5e95614..147efabf 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,3 +1,5 @@ +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_fuse_installed.yml" + - name: Ensure Goofys Docker image is pulled docker_image: name: "{{ matrix_s3_goofys_docker_image }}" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 8bf1c563..17eef9cc 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -20,7 +20,7 @@ - import-synapse-media-store - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user|bool + when: run_synapse_register_user|bool and matrix_synapse_enabled|bool tags: - register-user @@ -39,7 +39,7 @@ - self-check - import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password|bool + when: run_synapse_update_user_password|bool and matrix_synapse_enabled|bool tags: - update-user-password diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml index 4a90bfa6..d0440d22 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml @@ -8,6 +8,7 @@ name: "{{ item.key }}" state: stopped with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" + when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 - name: Find worker configs to be cleaned find: diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index df4a4f23..f74cbad9 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -27,10 +27,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} +ExecStopPost=-{{ matrix_host_command_docker }} stop %n +ExecStopPost=-{{ matrix_host_command_docker }} kill %n +ExecStopPost=-{{ matrix_host_command_docker }} rm %n +ExecStopPost=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 7ec8437b..e92083fa 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -12,15 +12,16 @@ # Server admins can expand Synapse's functionality with external modules. # -# See https://matrix-org.github.io/synapse/develop/modules.html for more +# See https://matrix-org.github.io/synapse/latest/modules/index.html for more # documentation on how to configure or create custom modules for Synapse. # -modules: +#modules: # - module: my_super_module.MySuperClass # config: # do_thing: true # - module: my_other_super_module.SomeClass # config: {} +modules: {{ matrix_synapse_modules|to_json }} ## Server ## @@ -667,8 +668,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # #federation_certificate_verification_whitelist: # - lon.example.com -# - *.domain.com -# - *.onion +# - "*.domain.com" +# - "*.onion" # List of custom certificate authorities for federation traffic. # @@ -1149,8 +1150,7 @@ max_spider_size: 10M # - fr;q=0.8 # - *;q=0.7 # -url_preview_accept_language: -# - en +url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }} ## Captcha ## @@ -1227,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # #session_lifetime: 24h +# Time that an access token remains valid for, if the session is +# using refresh tokens. +# For more information about refresh tokens, please see the manual. +# Note that this only applies to clients which advertise support for +# refresh tokens. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is 5 minutes. +# +#refreshable_access_token_lifetime: 5m + +# Time that a refresh token remains valid for (provided that it is not +# exchanged for another one first). +# This option can be used to automatically log-out inactive sessions. +# Please see the manual for more information. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is infinite. +# +#refresh_token_lifetime: 24h + +# Time that an access token remains valid for, if the session is NOT +# using refresh tokens. +# Please note that not all clients support refresh tokens, so setting +# this to a short value may be inconvenient for some users who will +# then be logged out frequently. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to existing sessions for users that have already logged in. +# +# By default, this is infinite. +# +#nonrefreshable_access_token_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: @@ -1480,6 +1520,7 @@ room_prejoin_state: # - m.room.encryption # - m.room.name # - m.room.create + # - m.room.topic # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. @@ -2229,6 +2270,12 @@ sso: # #algorithm: "provided-by-your-issuer" + # Name of the claim containing a unique identifier for the user. + # + # Optional, defaults to `sub`. + # + #subject_claim: "sub" + # The issuer to validate the "iss" claim against. # # Optional, if provided the "iss" claim will be required and @@ -2338,8 +2385,10 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. + {% if matrix_synapse_email_smtp_user %} smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }} smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }} + {% endif %} # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to @@ -2604,7 +2653,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -#encryption_enabled_by_default_for_room_type: invite +encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type|to_json }} # Uncomment to allow non-server-admin users to create groups on this server @@ -2637,8 +2686,8 @@ user_directory: # indexes were (re)built was before Synapse 1.44, you'll have to # rebuild the indexes in order to search through all known users. # These indexes are built the first time Synapse starts; admins can - # manually trigger a rebuild following the instructions at - # https://matrix-org.github.io/synapse/latest/user_directory.html + # manually trigger a rebuild via API following the instructions at + # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 43dc42d1..66a323f9 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' Restart=always diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 188db5ef..bfc8dd61 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -63,8 +63,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8..1a279ad6 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ - - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ + - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$ diff --git a/setup.yml b/setup.yml index 42613d96..aa1ea68b 100755 --- a/setup.yml +++ b/setup.yml @@ -20,6 +20,7 @@ - matrix-bridge-appservice-irc - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook + - matrix-bridge-mautrix-twitter - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram @@ -36,9 +37,11 @@ - matrix-bridge-sms - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot + - matrix-bot-honoroit - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse + - matrix-dendrite - matrix-synapse-admin - matrix-prometheus-node-exporter - matrix-prometheus @@ -46,6 +49,7 @@ - matrix-registration - matrix-client-element - matrix-client-hydrogen + - matrix-client-cinny - matrix-jitsi - matrix-ma1sd - matrix-dimension