From 2d2e6986a1f35a6ca5b3d5cdbc474d18b0efb3a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Nov 2021 00:28:58 +0200 Subject: [PATCH 001/202] Add missing space --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 2bb88a3c..892bffb2 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -55,7 +55,7 @@ Name | Description `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) -`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable).Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable). Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) ### Collecting worker metrics to an external Prometheus server From 6b07ee3b582e06b92e9e237a68cff4b4bfa68acd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Nov 2021 14:50:07 +0200 Subject: [PATCH 002/202] Upgrade Synapse (1.47.0 -> 1.47.1) - security fixes Learn more here: https://github.com/matrix-org/synapse/releases/tag/v1.47.1 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index dc8a9eb0..56d448df 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.0 -matrix_synapse_version_arm64: v1.47.0 +matrix_synapse_version: v1.47.1 +matrix_synapse_version_arm64: v1.47.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From e8a57ad432ed40d01078a12db471ce515d29d38b Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Tue, 23 Nov 2021 15:03:09 +0200 Subject: [PATCH 003/202] Upgrade Heisenbridge (1.7.0 -> 1.7.1) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 9a769432..cd5a0858 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.7.0 +matrix_heisenbridge_version: 1.7.1 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 37191d98c5095a5dca440d590796342954ac5b26 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Wed, 24 Nov 2021 10:43:25 +0800 Subject: [PATCH 004/202] GoMatrixHosting v0.6.6 --- roles/matrix-awx/tasks/purge_database_build_list.yml | 11 ----------- roles/matrix-awx/tasks/purge_database_main.yml | 4 ++-- roles/matrix-awx/tasks/purge_media_main.yml | 8 +++++--- roles/matrix-awx/tasks/set_variables_dimension.yml | 4 ++-- roles/matrix-common-after/tasks/awx_post.yml | 12 ++++++------ 5 files changed, 15 insertions(+), 24 deletions(-) delete mode 100644 roles/matrix-awx/tasks/purge_database_build_list.yml diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml deleted file mode 100644 index 339510f0..00000000 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Collect entire room list into stdout - shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/rooms?from={{ item }}' - register: awx_rooms_output - -- name: Print stdout to file - delegate_to: 127.0.0.1 - shell: | - echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 2cdf0330..1e16c4ad 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @_janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 0c322b85..59e0d89c 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,21 +21,22 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @_janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True - name: Generate list of dates to purge to delegate_to: 127.0.0.1 - shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" + shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}" register: awx_purge_dates - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_before when: awx_purge_media_type == "Local Media" + async: 600 ignore_errors: yes no_log: True @@ -43,6 +44,7 @@ shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_before when: awx_purge_media_type == "Remote Media" + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index d5e51c6b..0db01c57 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of Dimension user +- name: Collect access token of @_dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 4fbd5e55..278855fb 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,8 +1,8 @@ --- -- name: Create user account @janitor +- name: Create user account @_janitor command: | - /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool no_log: True @@ -18,9 +18,9 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @dimension +- name: Create user account @_dimension command: | - /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool no_log: True @@ -36,9 +36,9 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @mjolnir +- name: Create user account @_mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool no_log: True From 3a9fe48deb025b5d49256675bf563f81c39f910b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:32:06 +0200 Subject: [PATCH 005/202] Make matrix-nginx-proxy's X-Forwarded-For header customizable Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 3 +++ roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 +++--- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 10 files changed, 23 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6a33ffbe..0f525df8 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -111,6 +111,9 @@ matrix_coturn_enabled: false # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5a4a873c..a2a2a6b9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -382,6 +382,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" +# Specifies what to use for the X-Forwarded-For variable. +# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, +# you may wish to set this to '$proxy_add_x_forwarded_for' instead. +matrix_nginx_proxy_x_forwarded_for: '$remote_addr' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 79269f43..e5589f55 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -27,7 +27,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 095d5fcf..dea91b21 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -35,7 +35,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index c0794205..e9428c55 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -33,7 +33,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 292cc4c2..07347be6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 02201b9c..4abcd40a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,7 +58,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -76,7 +76,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -94,7 +94,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endif %} @@ -111,7 +111,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -136,7 +136,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; @@ -284,7 +284,7 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 209c1cd0..def67f66 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -37,7 +37,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 7fccce94..54b8ea43 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } # colibri (JVB) websockets @@ -45,7 +45,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -70,7 +70,7 @@ proxy_read_timeout 900s; proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ba442b37..0f33c0a7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -28,7 +28,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} From ae45254d83387b349c4ce4daa142c41c6252bcf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:34:30 +0200 Subject: [PATCH 006/202] Add missing headers in Traefik v2 example Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 0f525df8..fb970ef0 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -139,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' + # Disable Coturn because it needs SSL certs # (Clients can, though exposing IP address, use Matrix.org TURN) matrix_coturn_enabled: false From 87a2240dc268ff8fbd755dba41bdfb95a029694b Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:02:29 +0100 Subject: [PATCH 007/202] Create requirements.yml Add collections for simple awx compatiblity --- collections/requirements.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 collections/requirements.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 00000000..2872cc53 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: community.general.docker_network From 4d5d855ff1ca11f7729846b1b107dd906e848122 Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:03:28 +0100 Subject: [PATCH 008/202] Update requirements.yml Correct collections name --- collections/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 2872cc53..afc836d7 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,3 @@ --- collections: - - name: community.general.docker_network + - name: community.general From 65bb34c1ad09ea7b674c15d053df7b8ab953eccc Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:15:34 +0100 Subject: [PATCH 009/202] Update requirements.yml Use correct collection for docker commands --- collections/requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index afc836d7..9d365441 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,4 @@ --- collections: - name: community.general + - name: community.docker From cfc79ebe2902fe6e0e69b10315e1e62520657279 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Nov 2021 09:21:05 +0200 Subject: [PATCH 010/202] Upgrade exim-relay (4.94.2-r0-5 -> 4.95-r0) --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index e60ea50f..f006568f 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-5 +matrix_mailer_version: 4.95-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 61391647e9681968f65096223507c6645ad03acb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Nov 2021 15:25:18 +0200 Subject: [PATCH 011/202] Make /.well-known/matrix/client and /.well-known/matrix/server customizable We recently had someone need to inject additional configuration into `/.well-known/matrix/client` as described here: https://github.com/turt2live/matrix-dimension/blob/22b245bbd11f7067b09c5f17efc48fc9c629b743/docs/bigbluebutton.md#have-dimension-create-meetings-with-elements-video-call-button There may be other use cases as well. --- roles/matrix-base/defaults/main.yml | 66 ++++++++++++++++++++ roles/matrix-base/tasks/setup_well_known.yml | 8 +-- 2 files changed, 70 insertions(+), 4 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6639c223..4767bcf4 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md matrix_client_element_e2ee_secure_backup_setup_methods: [] +# Default `/.well-known/matrix/client` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_client_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_client_configuration_extension_json: | +# { +# "io.element.call_behaviour": { +# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state" +# } +# } +matrix_well_known_matrix_client_configuration_extension_json: '{}' + +matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`. +matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}" + +# Default `/.well-known/matrix/server` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_server_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_server_configuration_extension_json: | +# { +# "something": "another" +# } +matrix_well_known_matrix_server_configuration_extension_json: '{}' + +matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`. +matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}" + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 3b81ce1e..11ee48b9 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -13,16 +13,16 @@ - "{{ matrix_static_files_base_path }}/.well-known/matrix" - name: Ensure Matrix /.well-known/matrix/client file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + copy: + content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + copy: + content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" From ab602385180944c403ff9aafd88944b3bf9f5cc5 Mon Sep 17 00:00:00 2001 From: Christos Karamolegkos Date: Fri, 26 Nov 2021 19:51:05 +0200 Subject: [PATCH 012/202] Support encrypted matrix_synapse_macaroon_secret_key This change forces ansible to decrypt the variable with ansible-vault if encrypted, to avoid the error '{"msg": "Unexpected templating type error occurred on ({{ matrix_synapse_macaroon_secret_key | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}' Every other variable in the playbook was found to have no problems with encryption. The change has no negative impact on non-encrypted matrix_synapse_macaroon_secret_key. --- group_vars/matrix_servers | 146 +++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 377c27cd..7b2a7494 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -240,15 +240,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -278,9 +278,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -289,7 +289,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -320,9 +320,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -330,7 +330,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -361,9 +361,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -371,7 +371,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -402,9 +402,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -413,7 +413,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -448,14 +448,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -491,11 +491,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -503,7 +503,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -533,15 +533,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -567,10 +567,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -587,9 +587,9 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -626,15 +626,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -665,15 +665,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -703,9 +703,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -713,7 +713,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -744,15 +744,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -782,15 +782,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -820,15 +820,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -858,15 +858,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -896,7 +896,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1068,7 +1068,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1093,7 +1093,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1152,9 +1152,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1257,7 +1257,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1746,7 +1746,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -1897,7 +1897,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -1973,7 +1973,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # From 8e1463a6a156535f532f7afd161911a42caa6864 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sun, 28 Nov 2021 21:59:33 -0500 Subject: [PATCH 013/202] Update matrix-bridge-mautrix-telegram version --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index a105621a..f7c98950 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.1 +matrix_mautrix_telegram_version: v0.10.2 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" From 1472958e25c729f3fb9f6c018c2df947bcae97aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Nov 2021 16:35:23 +0200 Subject: [PATCH 014/202] Upgrade Synapse (1.47.1 -> 1.48.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- .../templates/synapse/homeserver.yaml.j2 | 14 ++++++++++---- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 56d448df..e888ac92 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.1 -matrix_synapse_version_arm64: v1.47.1 +matrix_synapse_version: v1.48.0 +matrix_synapse_version_arm64: v1.48.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 042ea083..f27fcb06 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -667,8 +667,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # #federation_certificate_verification_whitelist: # - lon.example.com -# - *.domain.com -# - *.onion +# - "*.domain.com" +# - "*.onion" # List of custom certificate authorities for federation traffic. # @@ -2229,6 +2229,12 @@ sso: # #algorithm: "provided-by-your-issuer" + # Name of the claim containing a unique identifier for the user. + # + # Optional, defaults to `sub`. + # + #subject_claim: "sub" + # The issuer to validate the "iss" claim against. # # Optional, if provided the "iss" claim will be required and @@ -2637,8 +2643,8 @@ user_directory: # indexes were (re)built was before Synapse 1.44, you'll have to # rebuild the indexes in order to search through all known users. # These indexes are built the first time Synapse starts; admins can - # manually trigger a rebuild following the instructions at - # https://matrix-org.github.io/synapse/latest/user_directory.html + # manually trigger a rebuild via API following the instructions at + # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8..2d6f393a 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ - - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ - - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ + - ^/_matrix/client/(api/v1|r0)/initialSync$ + - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|v3|unstable)/register$ + - ^/_matrix/client/(r0|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From c2c68f814b02832b54ddfeda45a7dd6a84aa2c72 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Tue, 30 Nov 2021 22:07:04 +0100 Subject: [PATCH 015/202] Update importing-postgres.md typos an suggestion to expand search/replace statement to not replace on wrong places. --- docs/importing-postgres.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 925ed14d..b72e7694 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -48,7 +48,7 @@ where `synapse_user` is the database username from the previous Synapse installa This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username: ```Shell -$ grep "ALTER TABLE" homeserver.sql" +$ grep "ALTER TABLE" homeserver.sql ALTER TABLE public.access_tokens OWNER TO synapse_user; ALTER TABLE public.account_data OWNER TO synapse_user; ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user; @@ -60,10 +60,10 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql +$ sed -i "s/OWNER TO synapse_user;/OWNER TO synapse;/g" homeserver.sql ``` -This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. +This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse_user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. Expand search/replace statement as shown in example above, in case of old user name like `matrix` - replacing `matrix` only would... well - you can imagine. Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as: From d584b44f1057fc2ce2d95fa0fa2c816e78ffb6a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Dec 2021 08:13:06 +0200 Subject: [PATCH 016/202] Upgrade matrix-corporal (2.2.1 -> 2.2.2) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index dfc71479..aede4d50 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.2.1 +matrix_corporal_version: 2.2.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 27e1451cbcc550abd66253fc88f84b9682aad4e8 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:31:57 +0100 Subject: [PATCH 017/202] Update main.yml --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8e4bd7bb..8998e368 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.2.2 +matrix_grafana_version: 8.3.0 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 3f0e8122eccfe4bde89f9323e0e04efc6e61d7cd Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:41:12 +0100 Subject: [PATCH 018/202] Update prometheus --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1cbeed8b..d76ce744 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.30.3 +matrix_prometheus_version: v2.31.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 229b93d7c8f6a8de1e2a6ea56de53016cafc3eb4 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:54:57 +0100 Subject: [PATCH 019/202] Update redis (6.2.4 -> 6.2.6) --- roles/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 409c7926..355679d0 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.2.4-alpine +matrix_redis_version: 6.2.6-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 20bc3eb24b06be3ed6380c653f3dafb333360895 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sat, 4 Dec 2021 22:04:25 +0100 Subject: [PATCH 020/202] Update signal bridge configuration template --- .../templates/config.yaml.j2 | 73 +++++++++++++++---- 1 file changed, 57 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 19c3ba05..0498d6ea 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -15,6 +15,8 @@ homeserver: # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. # The bridge will use the appservice as_token to authorize requests. status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -32,25 +34,19 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. Only Postgres is currently supported. + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname database: {{ matrix_mautrix_signal_database_connection_string }} - # Additional arguments for asyncpg.create_pool() + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. database_opts: min_size: 5 max_size: 10 - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: true - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - # The unique ID of this appservice. id: signal # Username of the appservice bot. @@ -66,7 +62,12 @@ appservice: # Example: "+signal:example.com". Set to false to disable. community_id: false - # Authentication tokens for AS <-> HS communication. + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_signal_appservice_token }}" hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" @@ -75,6 +76,17 @@ metrics: enabled: false listen_port: 8000 +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-signal.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + signal: # Path to signald unix socket socket_path: /signald/signald.sock @@ -91,6 +103,8 @@ signal: delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true + # Whether or not users can register a primary device + registration_enabled: true # Bridge config bridge: @@ -102,6 +116,7 @@ bridge: # available variable in displayname_preference. The variables in displayname_preference # can also be used here directly. displayname_template: "{displayname} (Signal)" + # Whether or not contact list displaynames should be used. # Possible values: disallow, allow, prefer # # Multi-user instances are recommended to disallow contact list names, as otherwise there can @@ -140,7 +155,7 @@ bridge: # If false, created portal rooms will never be federated. federate_rooms: true # End-to-bridge encryption support options. You must install the e2be optional dependency for - # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -173,12 +188,38 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false - # Interval at which to resync contacts. + # Interval at which to resync contacts (in seconds). periodic_sync: 0 + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Signal bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `register` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. # Permitted values: # relay - Allowed to be relayed through the bridge, no access to commands. From d51a9118d348c54a6567e47d8632148b6a407579 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Sun, 5 Dec 2021 09:41:00 +0100 Subject: [PATCH 021/202] Update importing-postgres.md with individual DB and repeat-import information (#1437) * Update importing-postgres.md Additional deatails, mostly on repeating import. Structure troubleshouting section. * Update importing-postgres.md removing -K * Fix path typo Co-authored-by: Slavi Pantaleev --- docs/importing-postgres.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index b72e7694..c5a8d828 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -12,7 +12,8 @@ If your database name differs, be sure to change `matrix_synapse_database_databa The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). -Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +But the migration might be a good moment, to "reset" a not properly working bridge. Be aware, that it might affect all users (new link to bridge, new roomes, ...) Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). @@ -32,6 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml \ ## Troubleshooting +### Table Ownership A table ownership issue can occur if you are importing from a Synapse installation which was both: - migrated from SQLite to Postgres, and @@ -71,6 +73,8 @@ Note that if the previous import failed with an error it may have made changes w ERROR: relation \"access_tokens\" already exists ``` +### Repeat import + In this case you can use the command suggested in the import task to clear the database before retrying the import: ```Shell @@ -79,4 +83,20 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. + +If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. +``` +"ERROR: role synapse does not exist" +``` + +Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) + +``` +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +``` + +### Hints + +To open psql terminal run `/usr/local/bin/matrix-postgres-cli` From 9babaa5a2bfd9dd982ac3338d350e83186c666bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Dec 2021 13:40:01 +0200 Subject: [PATCH 022/202] Fix mx-puppet-discord media URLs using container-network URLs (http://matrix-nginx-proxy:12080) --- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 ++ .../templates/config.yaml.j2 | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 1113bb1c..cd9c1477 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' +matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}" + # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 93c0a491..edb0c280 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -9,17 +9,17 @@ bridge: domain: {{ matrix_mx_puppet_discord_homeserver_domain }} # Reachable URL of the Matrix homeserver homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }} + # Optionally specify a different media URL used for the media store + # + # This is where Discord will download user profile pictures and media + # from + mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }} {% if matrix_mx_puppet_discord_login_shared_secret != '' %} loginSharedSecretMap: {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }} {% endif %} # Display name of the bridge bot displayname: Discord Puppet Bridge - # Optionally specify a different media URL used for the media store - # - # This is where Discord will download user profile pictures and media - # from - #mediaUrl: https://external-url.org presence: # Bridge Discord online/offline status From 391e095cb95a1426b89efeaa2f79b5a90e3bc383 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 6 Dec 2021 19:56:13 +0100 Subject: [PATCH 023/202] Update main.yml --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b05f0d85..d1a6a73a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.5 +matrix_client_element_version: v1.9.6 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ff720bedce2c6c2ae83784aacd41253787141900 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Dec 2021 19:43:14 +0200 Subject: [PATCH 024/202] Upgrade matrix-postgres-backup default to v14 Related to c08880d175fdbb73778 --- roles/matrix-postgres-backup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index e1f252fe..efce3656 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' From 18daf8f3da249f38086278c11182ed7dacb062cf Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 7 Dec 2021 21:52:49 +0100 Subject: [PATCH 025/202] Update Grafana from 8.3.0 to 8.3.1 due to Security Flaw https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8998e368..37202d6d 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.0 +matrix_grafana_version: 8.3.1 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 0071828503a63fdeb57d7a80d411b081811130fd Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 08:37:55 +0000 Subject: [PATCH 026/202] Run `workers-doc-to-yaml.sh` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1472958e25c729f3fb9f6c018c2df947bcae97aa reverted some of the v3 changes. I'm not sure why. Running the `workers-doc-to-yaml.sh` script now puts them back 🤷‍♂️. --- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 2d6f393a..def223f8 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ - - ^/_matrix/client/(api/v1|r0)/initialSync$ - - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ + - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ + - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|unstable)/register$ + - ^/_matrix/client/(r0|v3|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From 421b055cb5f09d104d4d31036dde5f48f22a4987 Mon Sep 17 00:00:00 2001 From: Aaron R Date: Wed, 8 Dec 2021 04:09:09 -0600 Subject: [PATCH 027/202] Fix comment about `matrix_mautrix_whatsapp_database_*` variables Was renamed in 087dbe4ddc80ba6308e7ee98391ea475354e8860 It is unclear to me if there is anything you actually need to adjust with these variables. It looks like that is done automatically in `matrix_servers`. --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 3d630fcf..81c451cf 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot # # To use Postgres: # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables matrix_mautrix_whatsapp_database_engine: 'sqlite' matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" From fac497faa58e3f9b40075ec910c810eb76436f08 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 10:13:12 +0000 Subject: [PATCH 028/202] Fix comments in other roles --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 9b9284dc..92a51a31 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # # To use Postgres: # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables +# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables matrix_appservice_discord_database_engine: 'sqlite' matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 2b453bab..5d83e9cc 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: '' # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml index 22f863ff..02bef16a 100644 --- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables matrix_mautrix_googlechat_database_engine: 'sqlite' matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fa46d33c..013e1d14 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables matrix_mautrix_hangouts_database_engine: 'sqlite' matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index a648018e..e1a1bdda 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index f7c98950..45a7d6e8 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables matrix_mautrix_telegram_database_engine: 'sqlite' matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a6..10f8b13a 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -48,7 +48,7 @@ matrix_dimension_homeserver_federationUrl: "" # # To use Postgres: # - change the engine (`matrix_dimension_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_dimension_postgres_*` variables +# - adjust your database credentials via the `matrix_dimension_database_*` variables matrix_dimension_database_engine: 'sqlite' matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 6929f5cd..f0e96eff 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false # # To use Postgres: # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +# - adjust your database credentials via the `matrix_ma1sd_database_*` variables matrix_ma1sd_database_engine: 'sqlite' matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index e03891b2..4705fb5e 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: '' # # To use Postgres: # - change the engine (`matrix_registration_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_registration_postgres_*` variables +# - adjust your database credentials via the `matrix_registration_database_*` variables matrix_registration_database_engine: 'sqlite' matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" From 286871b9b59a652c89b8d4b911ce208c14d275b1 Mon Sep 17 00:00:00 2001 From: John M Date: Sun, 28 Nov 2021 04:31:06 +0000 Subject: [PATCH 029/202] Add self-build for Dimension Add a self-build option for the Dimension Dockerfile. - This helps further support arm64 hosts (i.e. A1.Flex w/Oracle) --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-dimension/defaults/main.yml | 8 ++++++- .../matrix-dimension/tasks/setup_install.yml | 23 +++++++++++++++++++ 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/self-building.md b/docs/self-building.md index 82726bb7..9ff28e4c 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-registration` - `matrix-coturn` - `matrix-corporal` +- `matrix-dimension` - `matrix-ma1sd` - `matrix-mailer` - `matrix-bridge-appservice-irc` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7b2a7494..64ec0bd1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1045,6 +1045,8 @@ matrix_coturn_container_additional_volumes: | matrix_dimension_enabled: false +matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a6..6e1ad512 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -10,10 +10,16 @@ matrix_dimension_admins: [] # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates matrix_dimension_widgets_allow_self_signed_ssl_certificates: false +matrix_dimension_container_image_self_build: false +matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git" +matrix_dimension_container_image_self_build_branch: master + matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" +matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 804be88d..c75fc0b9 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -90,6 +90,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" + when: "not matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_pull_results + +- name: Ensure dimension repository is present on self-build + git: + repo: "{{ matrix_dimension_container_image_self_build_repo }}" + dest: "{{ matrix_dimension_docker_src_files_path }}" + version: "{{ matrix_dimension_container_image_self_build_branch }}" + force: "yes" + when: "matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_git_pull_results + +- name: Ensure Dimension Docker image is built + docker_image: + name: "{{ matrix_dimension_docker_image }}" + source: build + force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_dimension_docker_src_files_path }}" + pull: yes + when: "matrix_dimension_container_image_self_build|bool" - name: Ensure matrix-dimension.service installed template: From f2cd37685c8dfbc1579dfa18222865356695171d Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 19:52:05 -0300 Subject: [PATCH 030/202] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 35 ++++++++++++++++--- .../tasks/setup_jitsi_prosody.yml | 21 +++++++---- .../tasks/util/setup_jitsi_auth.yml | 30 ++++++++++++++++ 3 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bef993e0..bdc55335 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -12,6 +12,9 @@ matrix_jitsi_enable_av_moderation: true # Authentication type, must be one of internal, jwt or ldap. Currently only # internal and ldap are supported by this playbook. matrix_jitsi_auth_type: internal +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsti-moderator" + password: "" # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -41,16 +44,17 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' +matrix_jitsi_xmpp_muc_modules: '' +matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi - +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false @@ -205,7 +209,6 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' - matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" @@ -229,6 +232,30 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 +# JWT Auth +matrix_jitsi_auth_jwt_id: jitsi +matrix_jitsi_auth_jwt_secret: '' +matrix_jitsi_auth_jwt_accepted_issuers: '' +matrix_jitsi_authjwt_allow_empty: false + +# Jigasi SIP Gateway Configuration - Not Fully Implemented +matrix_jitsi_jigasi_auth_user: '' +matrix_jitsi_jigasi_auth_password: '' +#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info +#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd +#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info +#JIGASI_SIP_PORT SIP: '5060' # server port 5060 +#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP +#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json +#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper +#GC_PROJECT_ID: # project_id from Google Cloud Credentials +#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials +#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials +#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials +#GC_CLIENT_ID: # client_id from Google Cloud Credentials +#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials + + # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 39a571ae..25dee8ec 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -25,14 +25,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-prosody environment variables file created +- name: Ensure jitsi-prosody environment variables file is created template: src: "{{ role_path }}/templates/prosody/env.j2" dest: "{{ matrix_jitsi_prosody_base_path }}/env" mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service installed +- name: Ensure matrix-jitsi-prosody.service is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -40,16 +40,25 @@ register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation +- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation service: daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" + +- name: Ensure authentication is properly configured + include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: + - matrix_jitsi_enabled|bool + - matrix_jitsi_enable_auth|bool + + # # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Check existence of matrix-jitsi-prosody service +- name: Ensure matrix-jitsi-prosody service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -64,13 +73,13 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody.service doesn't exist +- name: Ensure matrix-jitsi-prosody service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal +- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal service: daemon_reload: yes when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml new file mode 100644 index 00000000..804e6526 --- /dev/null +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -0,0 +1,30 @@ +--- + +# +# Tasks related to setting up Jitsi authentication mechanisms +# + +- name: Ensure matrix-jitsi-prosody container is running + systemd: + state: started + name: matrix-jitsi-prosody + +- name: Ensire Jitsi internal authentication users are created + shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_auth_type == "internal" + + +# +# Configure other authentication mechanisms below +# + + +# +# End +# +- name: Ensure matrix-jitsi-prosody container is stopped + systemd: + state: stopped + name: matrix-jitsi-prosody \ No newline at end of file From dd1feffcc245a72217dec11dfc21db779ed5b176 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:14:18 -0300 Subject: [PATCH 031/202] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 24 ------------------- .../tasks/setup_jitsi_prosody.yml | 8 +++---- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bdc55335..61742126 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -232,30 +232,6 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 -# JWT Auth -matrix_jitsi_auth_jwt_id: jitsi -matrix_jitsi_auth_jwt_secret: '' -matrix_jitsi_auth_jwt_accepted_issuers: '' -matrix_jitsi_authjwt_allow_empty: false - -# Jigasi SIP Gateway Configuration - Not Fully Implemented -matrix_jitsi_jigasi_auth_user: '' -matrix_jitsi_jigasi_auth_password: '' -#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info -#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd -#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info -#JIGASI_SIP_PORT SIP: '5060' # server port 5060 -#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP -#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json -#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper -#GC_PROJECT_ID: # project_id from Google Cloud Credentials -#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials -#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials -#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials -#GC_CLIENT_ID: # client_id from Google Cloud Credentials -#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials - - # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 25dee8ec..d9b6fcba 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -4,7 +4,7 @@ # Tasks related to setting up jitsi-prosody # -- name: Ensure Matrix jitsi-prosody path exists +- name: Ensure Matrix jitsi-prosody environment exists file: path: "{{ item.path }}" state: directory @@ -32,7 +32,7 @@ mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service is installed +- name: Ensure matrix-jitsi-prosody.service file is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -58,7 +58,7 @@ # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Ensure matrix-jitsi-prosody service file exists +- name: Ensure matrix-jitsi-prosody.service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -73,7 +73,7 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody service file doesn't exist +- name: Ensure matrix-jitsi-prosody.service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent From 7a7dc0033387d8586739141af713587f4a6c64ee Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:19:55 -0300 Subject: [PATCH 032/202] Update documentation to reflect added support for Jitsi internal authentication user creation --- docs/configuring-playbook-jitsi.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f4e4c9f3..940252b4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -41,13 +41,21 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes]( If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. -Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsi-moderator" + password: "some-password" + - username: "other-user" + password: "some-other-password" ``` +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). + + ### (Optional) LDAP authentication The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: @@ -122,19 +130,6 @@ You may want to **limit the maximum video resolution**, to save up resources on Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with internal authentication: register new users - -Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. -Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: - -```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi -``` - -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. - -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). - ## Usage From d086668f524d7859e52c581c252560c135323929 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 02:42:36 -0300 Subject: [PATCH 033/202] Ensure internal authentication users are properly configured --- roles/matrix-jitsi/tasks/validate_config.yml | 30 +++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index d2887b12..8f874176 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -3,14 +3,14 @@ - name: Fail if required Jitsi settings not defined fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: "vars[item] == ''" with_items: @@ -19,6 +19,28 @@ - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: Fail if Jitsi internal authentication settings not defined + fail: + msg: >- + You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + + Please ensure you have defined at least one user and password when using internal authentication. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: + - matrix_jitsi_auth_type == "internal" + - item.username == '' + - item.password == '' + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + + - name: (Deprecation) Catch and report renamed settings fail: msg: >- From 6e38ce42d880d23c574d084c666060e17f0924a6 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:40:25 -0300 Subject: [PATCH 034/202] Added check before stopping service, fixed unnecessary checking of user attributes, and created sections to clarify the file's purpose --- .../tasks/util/setup_jitsi_auth.yml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml index 804e6526..66fb7e5d 100644 --- a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -1,30 +1,43 @@ --- - # -# Tasks related to setting up Jitsi authentication mechanisms +# Start Necessary Services # - name: Ensure matrix-jitsi-prosody container is running systemd: state: started name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result + + +# +# Tasks related to configuring Jitsi internal authentication +# -- name: Ensire Jitsi internal authentication users are created +- name: Ensure Jitsi internal authentication users are configured shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" when: - matrix_jitsi_auth_type == "internal" + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 # -# Configure other authentication mechanisms below +# Tasks related to configuring other Jitsi authentication mechanisms # + # -# End +# Tasks related to cleaning after Jitsi authentication configuration # -- name: Ensure matrix-jitsi-prosody container is stopped + + +# +# Stop Necessary Services +# +- name: Ensure matrix-jitsi-prosody container is stopped if necessary systemd: state: stopped - name: matrix-jitsi-prosody \ No newline at end of file + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed|bool \ No newline at end of file From a26abb2f1b2c5e5c8ddd0eb2792ab02a921665c4 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:44:50 -0300 Subject: [PATCH 035/202] Removed an empty line (formatting) --- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index d9b6fcba..c1c7c7fc 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -45,7 +45,6 @@ daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - - name: Ensure authentication is properly configured include_tasks: file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" From 4c25c1df06f9eb68309e138fe1286d1d74437289 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:50:31 -0300 Subject: [PATCH 036/202] Changed matrix_jitsi_prosody_auth_internal_accounts default to an empty array, removed unused configuration declaration, and moved jibri configuration back to its proper place --- roles/matrix-jitsi/defaults/main.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 61742126..e233e016 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -9,12 +9,22 @@ matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. +# Authentication type, must be one of internal, jwt or ldap. +# Currently only internal and ldap mechanisms are supported by this playbook. matrix_jitsi_auth_type: internal -matrix_jitsi_prosody_auth_internal_accounts: - - username: "jitsti-moderator" - password: "" + +# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. +# +# Accounts added here and subsquently removed will not be automatically removed +# from the Prosody server until user account cleaning is integrated into the playbook. +# +# Example: +# matrix_jitsi_prosody_auth_internal_accounts: +# - username: "jitsi-moderator" +# password: "secret-password" +# - username: "another-user" +# password: "another-password" +matrix_jitsi_prosody_auth_internal_accounts: [] # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -44,17 +54,16 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' -matrix_jitsi_xmpp_muc_modules: '' -matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' + matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false From 0c101f20c447ac5b4fe494cb7379f516f2f17ff1 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:54:40 -0300 Subject: [PATCH 037/202] Fixed unnecessary checking of user attributes, added check for matrix_jitsi_enable_auth boolean --- roles/matrix-jitsi/tasks/validate_config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 8f874176..37b10cb4 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -34,10 +34,10 @@ it means that your installation is most likely using default passwords previously defined by the playbook. These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: - - matrix_jitsi_auth_type == "internal" - - item.username == '' - - item.password == '' + when: + - matrix_jitsi_enable_auth|bool + - matrix_jitsi_auth_type == 'internal' + - matrix_jitsi_prosody_auth_internal_accounts|length == '0' with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" From f2293f61eebe49f47d7bb42363ed4f6b0fa9eb5a Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:58:50 -0300 Subject: [PATCH 038/202] Updated documentation to better reflect the workings of Jitsi internal authentication with this playbook --- docs/configuring-playbook-jitsi.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 940252b4..f7e8a949 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -48,11 +48,13 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true matrix_jitsi_prosody_auth_internal_accounts: - username: "jitsi-moderator" - password: "some-password" - - username: "other-user" - password: "some-other-password" + password: "secret-password" + - username: "another-user" + password: "another-password" ``` +**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. + **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). From a9e222d5238af3a76e8d77e2ef7801a05662dbdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Dec 2021 19:45:39 +0200 Subject: [PATCH 039/202] Remove useless variable (matrix_appservice_webhooks_control_room_id) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1447 Seems like there's such a variable in the `matrix-bridge-appservice-slack` role, which is probably where it got copied over from. --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 25419900..bc9ae8b4 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" -# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source -matrix_appservice_webhooks_control_room_id: '' matrix_appservice_webhooks_bot_name: 'webhookbot' matrix_appservice_webhooks_user_prefix: '_webhook' From c116f268f2f1aa03e2b14036201229b529b94d26 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 19:30:32 -0300 Subject: [PATCH 040/202] Fixed type mismatch --- roles/matrix-jitsi/tasks/validate_config.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 37b10cb4..5452768a 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -20,25 +20,19 @@ - "matrix_jitsi_jvb_auth_password" -- name: Fail if Jitsi internal authentication settings not defined +- name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. Please ensure you have defined at least one user and password when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had previously setup Jitsi successfully and are only now facing this error, - it means that your installation is most likely using default passwords previously defined by the playbook. - These defaults are insecure. Jitsi should be rebuilt with secure values. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == '0' - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + - matrix_jitsi_prosody_auth_internal_accounts == '' - name: (Deprecation) Catch and report renamed settings From fc55df9318efb28d17295293adf3a6edf7ab4b84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Dec 2021 08:29:57 +0200 Subject: [PATCH 041/202] Make some appservices reach the homeserver via nginx This is useful when Synapse is using a worker setup. In that case, we don't want appservices to connect to `matrix-synapse:8008`, because not all APIs are exposed there. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1449 --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 64ec0bd1..f9763c56 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -113,7 +113,7 @@ matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" @@ -152,7 +152,7 @@ matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" From 6568b68759901a1fdef4dd55d8f915837b435738 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Dec 2021 10:14:33 +0200 Subject: [PATCH 042/202] Fix validation message The check was checking for an empty string in `matrix_jitsi_prosody_auth_internal_accounts`, which is unlikely to happen. We should check for an empty list instead. The check was not validating username/password values, so telling the user that they need a non-empty username/password is misleading. It was merely checking if there's at least one entry in the list. This patch adjusts the check and message accordingly. --- roles/matrix-jitsi/tasks/validate_config.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 5452768a..a9d86764 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -23,16 +23,14 @@ - name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. - - Please ensure you have defined at least one user and password when using internal authentication. + At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts == '' + - matrix_jitsi_prosody_auth_internal_accounts|length == 0 - name: (Deprecation) Catch and report renamed settings From ece163b29ff49ef706cbfb4bbeebe3d3f7aee2ef Mon Sep 17 00:00:00 2001 From: AnonyPla <86740652+AnonyPla@users.noreply.github.com> Date: Sat, 11 Dec 2021 08:16:33 +0000 Subject: [PATCH 043/202] Upgrade Mjolnir from 1.1.20 to version 1.2.1 (#1422) * Upgrade Mjolnir from 1.1.20 to version 1.2.1 https://hub.docker.com/r/matrixdotorg/mjolnir/tags using the "latest" tag seems inefficient as it doesn't actually redirect to the latest release In any case, the latest release is now 1.2.1 docker pull matrixdotorg/mjolnir:v1.2.1 * Fixup Co-authored-by: Slavi Pantaleev --- roles/matrix-bot-mjolnir/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 6e7331c4..72c68502 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,14 +3,13 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.1.20" +matrix_bot_mjolnir_version: "v1.2.1" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" - matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" From eca26e49e1561603eecab65a8ba9e60f2d46f39c Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Sat, 11 Dec 2021 11:09:06 -0300 Subject: [PATCH 044/202] Update Jitsi to version stable-6727 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index e233e016..b1002a7f 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -67,7 +67,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6173 +matrix_jitsi_version: stable-6726 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From bbab82ee647348fc6d4f864ceac93f18dc3a9461 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sat, 11 Dec 2021 10:26:55 -0500 Subject: [PATCH 045/202] Fix email sending broken by #1406 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f27fcb06..3e289b0c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2344,8 +2344,10 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. + {% if matrix_synapse_email_smtp_user %} smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }} smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }} + {% endif %} # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to From dd903ffcc2c2beec08557b157f1cd4aa4ce0b16b Mon Sep 17 00:00:00 2001 From: laszabine Date: Sat, 11 Dec 2021 16:16:41 +0000 Subject: [PATCH 046/202] Updated signald docker image path --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93993fa1..6e0a9918 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" +matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" From 1f0d56fb75b053ca91d803416b01e498c2461901 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 13 Dec 2021 15:55:40 +0000 Subject: [PATCH 047/202] (Security fix) Update Element 1.9.6 -> 1.9.7 Ref: https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d1a6a73a..28412a26 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.6 +matrix_client_element_version: v1.9.7 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a8fc4fe6ce5e82d44060b7e50c131eca8b502aff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 12:33:59 +0200 Subject: [PATCH 048/202] Mention log4j vulnerability affecting mautrix-signal Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1459 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43af8dd1..a6d15b96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-12-14 + +## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability + +Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable. + +One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md). + + # 2021-11-11 ## Dropped support for Postgres v9.6 From 6b9b824964fddb9b7ad9a70089d49705a0be1377 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:11:45 +1000 Subject: [PATCH 049/202] Copy matrix-bridge-mautrix-facebook as base for matrix-bridge-mautrix-twitter --- .../defaults/main.yml | 115 +++++++++ .../tasks/init.yml | 23 ++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 128 ++++++++++ .../tasks/setup_uninstall.yml | 24 ++ .../tasks/validate_config.yml | 31 +++ .../templates/config.yaml.j2 | 227 ++++++++++++++++++ .../matrix-mautrix-facebook.service.j2 | 42 ++++ 8 files changed, 611 insertions(+) create mode 100644 roles/matrix-bridge-mautrix-twitter/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml new file mode 100644 index 00000000..71a225f7 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -0,0 +1,115 @@ +# mautrix-facebook is a Matrix <-> Facebook bridge +# See: https://github.com/tulir/mautrix-facebook + +matrix_mautrix_facebook_enabled: true + +matrix_mautrix_facebook_container_image_self_build: false +matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" + +matrix_mautrix_facebook_version: latest +# See: https://mau.dev/tulir/mautrix-facebook/container_registry +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" +matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" + +matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" +matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" +matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" +matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" + +matrix_mautrix_facebook_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' + +# A list of extra arguments to pass to the container +matrix_mautrix_facebook_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-facebook.service depends on. +matrix_mautrix_facebook_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-facebook.service wants +matrix_mautrix_facebook_systemd_wanted_services_list: [] + +matrix_mautrix_facebook_appservice_token: '' +matrix_mautrix_facebook_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite: +# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change to the last bridge version that supported SQLite: +# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). +# +# To use Postgres: +# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +matrix_mautrix_facebook_database_engine: 'postgres' + +matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" +matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" + +matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_database_password: 'some-password' +matrix_mautrix_facebook_database_hostname: 'matrix-postgres' +matrix_mautrix_facebook_database_port: 5432 +matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' + +matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' + +matrix_mautrix_facebook_appservice_database: "{{ + { + 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_facebook_database_connection_string, + }[matrix_mautrix_facebook_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_facebook_login_shared_secret: '' + +matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" + +matrix_mautrix_facebook_appservice_bot_username: facebookbot + +matrix_mautrix_facebook_bridge_presence: true + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_facebook_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_facebook_configuration_yaml`. + +matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml|from_yaml if matrix_mautrix_facebook_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`. +matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml|from_yaml|combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}" + +matrix_mautrix_facebook_registration_yaml: | + id: facebook + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_facebook_appservice_address }} + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml new file mode 100644 index 00000000..9e127316 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" + when: matrix_mautrix_facebook_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-facebook-registration.yaml"] }} + when: matrix_mautrix_facebook_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml new file mode 100644 index 00000000..54fb6f9d --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml new file mode 100644 index 00000000..59998463 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -0,0 +1,128 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_facebook_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_facebook_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_facebook_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-facebook.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_facebook_requires_restart: true + when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_facebook_database_engine == 'postgres'" + +- name: Ensure Mautrix Facebook image is pulled + docker_image: + name: "{{ matrix_mautrix_facebook_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" + when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + +- name: Ensure Mautrix Facebook paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + when: item.when|bool + +- name: Ensure Mautrix Facebook repository is present on self-build + git: + repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" +# version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_mautrix_facebook_git_pull_results + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + +- name: Ensure Mautrix Facebook Docker image is built + docker_image: + name: "{{ matrix_mautrix_facebook_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" + register: matrix_mautrix_facebook_stat_database + +- name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped + service: + name: matrix-mautrix-facebook + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mautrix_facebook_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-facebook database file to ./data directory + command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + when: "matrix_mautrix_facebook_stat_database.stat.exists" + +- name: Ensure mautrix-facebook config.yaml installed + copy: + content: "{{ matrix_mautrix_facebook_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-facebook registration.yaml installed + copy: + content: "{{ matrix_mautrix_facebook_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-facebook.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + mode: 0644 + register: matrix_mautrix_facebook_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_facebook_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-facebook.service restarted, if necessary + service: + name: "matrix-mautrix-facebook.service" + state: restarted + when: "matrix_mautrix_facebook_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml new file mode 100644 index 00000000..efc8aa74 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-facebook service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + register: matrix_mautrix_facebook_service_stat + +- name: Ensure matrix-mautrix-facebook is stopped + service: + name: matrix-mautrix-facebook + state: stopped + daemon_reload: yes + when: "matrix_mautrix_facebook_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-facebook.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + state: absent + when: "matrix_mautrix_facebook_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_facebook_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml new file mode 100644 index 00000000..0879bad9 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_facebook_appservice_token" + - "matrix_mautrix_facebook_homeserver_token" + +- block: + - name: Fail if on SQLite, unless on the last version supporting SQLite + fail: + msg: >- + You're trying to use the mautrix-facebook bridge with an SQLite database. + Going forward, this bridge only supports Postgres. + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + + - name: Inject warning if still on SQLite + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + ] + }} + when: "matrix_mautrix_facebook_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 new file mode 100644 index 00000000..628db713 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -0,0 +1,227 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_facebook_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_facebook_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_facebook_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_mautrix_facebook_appservice_database|to_json }} + + # Public part of web server for out-of-Matrix interaction with the bridge. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.com/public + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: null + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (FB)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + - first_name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: {} + # example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} + presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Settings for backfilling messages from Facebook. + backfill: + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when backfilling history from Facebook. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_facebook_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + paho: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 new file mode 100644 index 00000000..f3af4b9f --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Facebook bridge +{% for service in matrix_mautrix_facebook_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ + -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ + {% for arg in matrix_mautrix_facebook_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_facebook_docker_image }} \ + python3 -m mautrix_facebook -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-facebook + +[Install] +WantedBy=multi-user.target From e9e4d8f250061055c0f71682f5a649687d5315c7 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:12:26 +1000 Subject: [PATCH 050/202] Rename mautrix-twitter systemd file --- ...trix-facebook.service.j2 => matrix-mautrix-twitter.service.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/matrix-bridge-mautrix-twitter/templates/systemd/{matrix-mautrix-facebook.service.j2 => matrix-mautrix-twitter.service.j2} (100%) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 similarity index 100% rename from roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 rename to roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 From 7afe8103da1c247a7d281689ff8a3f9595a51d97 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:18:31 +1000 Subject: [PATCH 051/202] Find/replace Facebook with Twitter find roles/matrix-bridge-mautrix-twitter -type f -exec sed -i \ -e 's/facebook/twitter/g' \ -e 's/Facebook/Twitter/g' \ -e 's/FB/Twitter/g' \ -e 's/fb/twitter/g' {} + --- .../defaults/main.yml | 122 +++++++++--------- .../tasks/init.yml | 14 +- .../tasks/main.yml | 12 +- .../tasks/setup_install.yml | 108 ++++++++-------- .../tasks/setup_uninstall.yml | 22 ++-- .../tasks/validate_config.yml | 14 +- .../templates/config.yaml.j2 | 54 ++++---- .../systemd/matrix-mautrix-twitter.service.j2 | 28 ++-- 8 files changed, 187 insertions(+), 187 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 71a225f7..02eff778 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -1,115 +1,115 @@ -# mautrix-facebook is a Matrix <-> Facebook bridge -# See: https://github.com/tulir/mautrix-facebook +# mautrix-twitter is a Matrix <-> Twitter bridge +# See: https://github.com/tulir/mautrix-twitter -matrix_mautrix_facebook_enabled: true +matrix_mautrix_twitter_enabled: true -matrix_mautrix_facebook_container_image_self_build: false -matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" +matrix_mautrix_twitter_container_image_self_build: false +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git" -matrix_mautrix_facebook_version: latest -# See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" -matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" -matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" +matrix_mautrix_twitter_version: latest +# See: https://mau.dev/tulir/mautrix-twitter/container_registry +matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:{{ matrix_mautrix_twitter_version }}" +matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}" -matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" -matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" -matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" -matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" +matrix_mautrix_twitter_base_path: "{{ matrix_base_data_path }}/mautrix-twitter" +matrix_mautrix_twitter_config_path: "{{ matrix_mautrix_twitter_base_path }}/config" +matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data" +matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src" -matrix_mautrix_facebook_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' +matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29319' # A list of extra arguments to pass to the container -matrix_mautrix_facebook_container_extra_arguments: [] +matrix_mautrix_twitter_container_extra_arguments: [] -# List of systemd services that matrix-mautrix-facebook.service depends on. -matrix_mautrix_facebook_systemd_required_services_list: ['docker.service'] +# List of systemd services that matrix-mautrix-twitter.service depends on. +matrix_mautrix_twitter_systemd_required_services_list: ['docker.service'] -# List of systemd services that matrix-mautrix-facebook.service wants -matrix_mautrix_facebook_systemd_wanted_services_list: [] +# List of systemd services that matrix-mautrix-twitter.service wants +matrix_mautrix_twitter_systemd_wanted_services_list: [] -matrix_mautrix_facebook_appservice_token: '' -matrix_mautrix_facebook_homeserver_token: '' +matrix_mautrix_twitter_appservice_token: '' +matrix_mautrix_twitter_homeserver_token: '' # Database-related configuration fields. # # To use SQLite: -# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change the engine (`matrix_mautrix_twitter_database_engine: 'sqlite'`) # - change to the last bridge version that supported SQLite: -# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# `matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:da1b4ec596e334325a1589e70829dea46e73064b"` # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables -matrix_mautrix_facebook_database_engine: 'postgres' +# - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables +matrix_mautrix_twitter_database_engine: 'postgres' -matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" -matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" +matrix_mautrix_twitter_sqlite_database_path_local: "{{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" +matrix_mautrix_twitter_sqlite_database_path_in_container: "/data/mautrix-twitter.db" -matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_database_hostname: 'matrix-postgres' -matrix_mautrix_facebook_database_port: 5432 -matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' +matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' +matrix_mautrix_twitter_database_password: 'some-password' +matrix_mautrix_twitter_database_hostname: 'matrix-postgres' +matrix_mautrix_twitter_database_port: 5432 +matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter' -matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' +matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix_twitter_database_username }}:{{ matrix_mautrix_twitter_database_password }}@{{ matrix_mautrix_twitter_database_hostname }}:{{ matrix_mautrix_twitter_database_port }}/{{ matrix_mautrix_twitter_database_name }}' -matrix_mautrix_facebook_appservice_database: "{{ +matrix_mautrix_twitter_appservice_database: "{{ { - 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_facebook_database_connection_string, - }[matrix_mautrix_facebook_database_engine] + 'sqlite': ('sqlite:///' + matrix_mautrix_twitter_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_twitter_database_connection_string, + }[matrix_mautrix_twitter_database_engine] }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). -matrix_mautrix_facebook_login_shared_secret: '' +matrix_mautrix_twitter_login_shared_secret: '' -matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitter_homeserver_domain: matrix_mautrix_twitter_login_shared_secret} if matrix_mautrix_twitter_login_shared_secret else {} }}" -matrix_mautrix_facebook_appservice_bot_username: facebookbot +matrix_mautrix_twitter_appservice_bot_username: twitterbot -matrix_mautrix_facebook_bridge_presence: true +matrix_mautrix_twitter_bridge_presence: true # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # -# For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) +# For a more advanced customization, you can extend the default (see `matrix_mautrix_twitter_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" +matrix_mautrix_twitter_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" -matrix_mautrix_facebook_configuration_extension_yaml: | +matrix_mautrix_twitter_configuration_extension_yaml: | # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`). + # This configuration extends the default starting configuration (`matrix_mautrix_twitter_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. # # If you need something more special, you can take full control by - # completely redefining `matrix_mautrix_facebook_configuration_yaml`. + # completely redefining `matrix_mautrix_twitter_configuration_yaml`. -matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml|from_yaml if matrix_mautrix_facebook_configuration_extension_yaml|from_yaml is mapping else {} }}" +matrix_mautrix_twitter_configuration_extension: "{{ matrix_mautrix_twitter_configuration_extension_yaml|from_yaml if matrix_mautrix_twitter_configuration_extension_yaml|from_yaml is mapping else {} }}" # Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`. -matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml|from_yaml|combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}" +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_twitter_configuration_yaml`. +matrix_mautrix_twitter_configuration: "{{ matrix_mautrix_twitter_configuration_yaml|from_yaml|combine(matrix_mautrix_twitter_configuration_extension, recursive=True) }}" -matrix_mautrix_facebook_registration_yaml: | - id: facebook - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" +matrix_mautrix_twitter_registration_yaml: | + id: twitter + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" namespaces: users: - exclusive: true - regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + regex: '^@twitter_.+:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' - exclusive: true - regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' - url: {{ matrix_mautrix_facebook_appservice_address }} + regex: '^@{{ matrix_mautrix_twitter_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_twitter_appservice_address }} # See https://github.com/tulir/mautrix-signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} + sender_localpart: _bot_{{ matrix_mautrix_twitter_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true -matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" +matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml index 9e127316..4f8df9e0 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml @@ -1,23 +1,23 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" - when: matrix_mautrix_facebook_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}" + when: matrix_mautrix_twitter_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. - set_fact: matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} + - ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] + ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"] matrix_synapse_app_service_config_files: > {{ matrix_synapse_app_service_config_files|default([]) }} + - {{ ["/matrix-mautrix-facebook-registration.yaml"] }} - when: matrix_mautrix_facebook_enabled|bool + {{ ["/matrix-mautrix-twitter-registration.yaml"] }} + when: matrix_mautrix_twitter_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml index 54fb6f9d..60eea099 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -3,19 +3,19 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter - import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter - import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and not matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index 59998463..41643972 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -5,44 +5,44 @@ - name: Fail if matrix-synapse role already executed fail: msg: >- - The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. + The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_mautrix_facebook_requires_restart: false + matrix_mautrix_twitter_requires_restart: false - block: - name: Check if an SQLite database already exists stat: - path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + path: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" + register: matrix_mautrix_twitter_sqlite_database_path_local_stat_result - block: - set_fact: matrix_postgres_db_migration_request: - src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - dst: "{{ matrix_mautrix_facebook_database_connection_string }}" + src: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_twitter_database_connection_string }}" caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_mautrix_facebook_database_engine' + engine_variable_name: 'matrix_mautrix_twitter_database_engine' engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-mautrix-facebook.service'] + systemd_services_to_stop: ['matrix-mautrix-twitter.service'] - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: - matrix_mautrix_facebook_requires_restart: true - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_mautrix_facebook_database_engine == 'postgres'" + matrix_mautrix_twitter_requires_restart: true + when: "matrix_mautrix_twitter_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_twitter_database_engine == 'postgres'" -- name: Ensure Mautrix Facebook image is pulled +- name: Ensure Mautrix Twitter image is pulled docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" + name: "{{ matrix_mautrix_twitter_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + force_source: "{{ matrix_mautrix_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_twitter_docker_image_force_pull }}" + when: matrix_mautrix_twitter_enabled|bool and not matrix_mautrix_twitter_container_image_self_build -- name: Ensure Mautrix Facebook paths exist +- name: Ensure Mautrix Twitter paths exist file: path: "{{ item.path }}" state: directory @@ -50,79 +50,79 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + - { path: "{{ matrix_mautrix_twitter_base_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_config_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_data_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_docker_src_files_path }}", when: "{{ matrix_mautrix_twitter_container_image_self_build }}" } when: item.when|bool -- name: Ensure Mautrix Facebook repository is present on self-build +- name: Ensure Mautrix Twitter repository is present on self-build git: - repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" - dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + repo: "{{ matrix_mautrix_twitter_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_twitter_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - register: matrix_mautrix_facebook_git_pull_results - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + register: matrix_mautrix_twitter_git_pull_results + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build" -- name: Ensure Mautrix Facebook Docker image is built +- name: Ensure Mautrix Twitter Docker image is built docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" + name: "{{ matrix_mautrix_twitter_docker_image }}" source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile - path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + path: "{{ matrix_mautrix_twitter_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool" - name: Check if an old database file already exists stat: - path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" - register: matrix_mautrix_facebook_stat_database + path: "{{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db" + register: matrix_mautrix_twitter_stat_database -- name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped +- name: (Data relocation) Ensure matrix-mautrix-twitter.service is stopped service: - name: matrix-mautrix-facebook + name: matrix-mautrix-twitter state: stopped daemon_reload: yes failed_when: false - when: "matrix_mautrix_facebook_stat_database.stat.exists" + when: "matrix_mautrix_twitter_stat_database.stat.exists" -- name: (Data relocation) Move mautrix-facebook database file to ./data directory - command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" - when: "matrix_mautrix_facebook_stat_database.stat.exists" +- name: (Data relocation) Move mautrix-twitter database file to ./data directory + command: "mv {{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db {{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" + when: "matrix_mautrix_twitter_stat_database.stat.exists" -- name: Ensure mautrix-facebook config.yaml installed +- name: Ensure mautrix-twitter config.yaml installed copy: - content: "{{ matrix_mautrix_facebook_configuration|to_nice_yaml }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" + content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure mautrix-facebook registration.yaml installed +- name: Ensure mautrix-twitter registration.yaml installed copy: - content: "{{ matrix_mautrix_facebook_registration|to_nice_yaml }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" + content: "{{ matrix_mautrix_twitter_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure matrix-mautrix-facebook.service installed +- name: Ensure matrix-mautrix-twitter.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" mode: 0644 - register: matrix_mautrix_facebook_systemd_service_result + register: matrix_mautrix_twitter_systemd_service_result -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation service: daemon_reload: yes - when: "matrix_mautrix_facebook_systemd_service_result.changed" + when: "matrix_mautrix_twitter_systemd_service_result.changed" -- name: Ensure matrix-mautrix-facebook.service restarted, if necessary +- name: Ensure matrix-mautrix-twitter.service restarted, if necessary service: - name: "matrix-mautrix-facebook.service" + name: "matrix-mautrix-twitter.service" state: restarted - when: "matrix_mautrix_facebook_requires_restart|bool" + when: "matrix_mautrix_twitter_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml index efc8aa74..28819726 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -1,24 +1,24 @@ --- -- name: Check existence of matrix-mautrix-facebook service +- name: Check existence of matrix-mautrix-twitter service stat: - path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" - register: matrix_mautrix_facebook_service_stat + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" + register: matrix_mautrix_twitter_service_stat -- name: Ensure matrix-mautrix-facebook is stopped +- name: Ensure matrix-mautrix-twitter is stopped service: - name: matrix-mautrix-facebook + name: matrix-mautrix-twitter state: stopped daemon_reload: yes - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" -- name: Ensure matrix-mautrix-facebook.service doesn't exist +- name: Ensure matrix-mautrix-twitter.service doesn't exist file: - path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" state: absent - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal service: daemon_reload: yes - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 0879bad9..a9e63fd0 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -6,17 +6,17 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_mautrix_facebook_appservice_token" - - "matrix_mautrix_facebook_homeserver_token" + - "matrix_mautrix_twitter_appservice_token" + - "matrix_mautrix_twitter_homeserver_token" - block: - name: Fail if on SQLite, unless on the last version supporting SQLite fail: msg: >- - You're trying to use the mautrix-facebook bridge with an SQLite database. + You're trying to use the mautrix-twitter bridge with an SQLite database. Going forward, this bridge only supports Postgres. - To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database - when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_twitter_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - name: Inject warning if still on SQLite set_fact: @@ -25,7 +25,7 @@ matrix_playbook_runtime_results|default([]) + [ - "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + "NOTE: Your mautrix-twitter bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database" ] }} - when: "matrix_mautrix_facebook_database_engine == 'sqlite'" + when: "matrix_mautrix_twitter_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 628db713..93bf537b 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -2,9 +2,9 @@ # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_facebook_homeserver_address }} + address: {{ matrix_mautrix_twitter_homeserver_address }} # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_facebook_homeserver_domain }} + domain: {{ matrix_mautrix_twitter_homeserver_domain }} # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true @@ -17,7 +17,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_facebook_appservice_address }} + address: {{ matrix_mautrix_twitter_appservice_address }} # The hostname and port where this appservice should listen. hostname: 0.0.0.0 @@ -27,7 +27,7 @@ appservice: max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_facebook_appservice_database|to_json }} + database: {{ matrix_mautrix_twitter_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. public: @@ -44,17 +44,17 @@ appservice: shared_secret: generate # The unique ID of this appservice. - id: facebook + id: twitter # Username of the appservice bot. - bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} + bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot + bot_displayname: Twitter bridge bot bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -63,20 +63,20 @@ metrics: # Bridge config bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" + # Localpart template of MXIDs for Twitter users. + # {userid} is replaced with the user ID of the Twitter user. + username_template: "twitter_{userid}" # Localpart template for per-user room grouping community IDs. # The bridge will create these communities and add all of the specific user's portals to the community. # {localpart} is the MXID localpart and {server} is the MXID server part of the user. # - # `facebook_{localpart}={server}` is a good value. + # `twitter_{localpart}={server}` is a good value. community_template: null - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user + # Displayname template for Twitter users. + # {displayname} is replaced with the display name of the Twitter user # as defined below in displayname_preference. # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (FB)' + displayname_template: '{displayname} (Twitter)' # Available keys: # "name" (full name) # "first_name" @@ -88,12 +88,12 @@ bridge: - first_name # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" + command_prefix: "!twitter" # Number of chats to sync (and create portals for) on startup/login. # Set 0 to disable automatic syncing. initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be + # Whether or not the Twitter users of logged in Matrix users should be # invited to private chats when the user sends a message from another client. invite_own_puppet_to_pm: false # Whether or not to use /sync to get presence, read receipts and typing notifications @@ -115,8 +115,8 @@ bridge: # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} - presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }} + login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} + presence: {{ matrix_mautrix_twitter_bridge_presence|to_json }} # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true # End-to-bridge encryption support options. These require matrix-nio to be installed with pip @@ -143,14 +143,14 @@ bridge: # Verification by the bridge is not yet implemented. require_verification: true # Whether or not the bridge should send a read receipt from the bridge bot when a message has - # been sent to Facebook. + # been sent to Twitter. delivery_receipts: false # Whether to allow inviting arbitrary mxids to portal rooms allow_invites: false - # Settings for backfilling messages from Facebook. + # Settings for backfilling messages from Twitter. backfill: - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when backfilling history from Facebook. This is + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is # usually needed to prevent rate limits and to allow timestamp massaging. invite_own_puppet: true # Maximum number of messages to backfill initially. @@ -165,7 +165,7 @@ bridge: disable_notifications: false periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # This can be used to automatically mitigate the bug where Twitter stops sending messages. # Set to -1 to disable periodic reconnections entirely. interval: -1 # What to do in periodic reconnects. Either "refresh" or "reconnect" @@ -197,7 +197,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_facebook_homeserver_domain }}': user + '{{ matrix_mautrix_twitter_homeserver_domain }}': user # Python logging configuration. # @@ -207,7 +207,7 @@ logging: version: 1 formatters: colored: - (): mautrix_facebook.util.ColorFormatter + (): mautrix_twitter.util.ColorFormatter format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 index f3af4b9f..73bdbc86 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Facebook bridge -{% for service in matrix_mautrix_facebook_systemd_required_services_list %} +Description=Matrix Mautrix Twitter bridge +{% for service in matrix_mautrix_twitter_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} +{% for service in matrix_mautrix_twitter_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,30 +13,30 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitter \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ - -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ - {% for arg in matrix_mautrix_facebook_container_extra_arguments %} + -v {{ matrix_mautrix_twitter_config_path }}:/config:z \ + -v {{ matrix_mautrix_twitter_data_path }}:/data:z \ + {% for arg in matrix_mautrix_twitter_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_mautrix_facebook_docker_image }} \ - python3 -m mautrix_facebook -c /config/config.yaml --no-update + {{ matrix_mautrix_twitter_docker_image }} \ + python3 -m mautrix_twitter -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' Restart=always RestartSec=30 -SyslogIdentifier=matrix-mautrix-facebook +SyslogIdentifier=matrix-mautrix-twitter [Install] WantedBy=multi-user.target From 8282ab48c789690389a4a56855c14a92aefeafc9 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:21:06 +1000 Subject: [PATCH 052/202] Replace bridge config with one from upstream Source: https://github.com/tulir/mautrix-twitter/blob/12f420ab95c2b1b1862109dc14f6af64b2bf7914/mautrix_twitter/example-config.yaml --- .../templates/config.yaml.j2 | 204 +++++++++--------- 1 file changed, 97 insertions(+), 107 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 93bf537b..e4f6ba1f 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -1,60 +1,72 @@ -#jinja2: lstrip_blocks: "True" # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_twitter_homeserver_address }} + address: https://example.com # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_twitter_homeserver_domain }} + domain: example.com # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true - # Whether or not the homeserver supports asmux-specific endpoints, - # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically - # updating m.direct. asmux: false # Application service host/registration related details # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_twitter_appservice_address }} + address: http://localhost:29327 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false # The hostname and port where this appservice should listen. hostname: 0.0.0.0 - port: 29319 + port: 29327 # The maximum body size of appservice API requests (from the homeserver) in mebibytes # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_twitter_appservice_database|to_json }} - - # Public part of web server for out-of-Matrix interaction with the bridge. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: false - # The prefix to use in the public-facing endpoints. - prefix: /public - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: https://example.com/public - # Shared secret for integration managers such as mautrix-manager. - # If set to "generate", a random string will be generated on the next startup. - # If null, integration manager access to the API will not be possible. + database: postgres://username:password@hostname/db + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. shared_secret: generate # The unique ID of this appservice. id: twitter # Username of the appservice bot. - bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} + bot_username: twitterbot # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Twitter bridge bot - bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak + bot_avatar: mxc://maunium.net/HVHcnusJkQcpVcsVGZRELLCn + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + # + # Example: "+twitter:example.com". Set to false to disable. + community_id: false - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_twitter_appservice_token }}" - hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -66,64 +78,59 @@ bridge: # Localpart template of MXIDs for Twitter users. # {userid} is replaced with the user ID of the Twitter user. username_template: "twitter_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `twitter_{localpart}={server}` is a good value. - community_template: null # Displayname template for Twitter users. - # {displayname} is replaced with the display name of the Twitter user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (Twitter)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - first_name + # {displayname} is replaced with the display name of the Twitter user. + # {username} is replaced with the username of the Twitter user. + displayname_template: "{displayname} (Twitter)" - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!twitter" + # Maximum length of displayname + displayname_max_length: 100 - # Number of chats to sync (and create portals for) on startup/login. + # Number of conversations to sync (and create portals for) on login. # Set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Twitter users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications + initial_conversation_sync: 10 + # Whether or not to use /sync to get read receipts and typing notifications # when double puppeting is enabled sync_with_custom_puppets: true # Whether or not to update the m.direct account data event when double puppeting is enabled. # Note that updating the m.direct event is not atomic (except with mautrix-asmux) # and is therefore prone to race conditions. sync_direct_chat_list: false - # Servers to always allow double puppeting from - double_puppet_server_map: {} - # example.com: https://example.com # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false - # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: + example.com: https://example.com + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} - presence: {{ matrix_mautrix_twitter_bridge_presence|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. + login_shared_secret_map: + example.com: foo + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Twitter. # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. + # Missed message backfilling is currently based on receiving them from the Twitter polling API, + # rather than manually asking for messages in each conversation. Due to this, there's no way to + # set a limit for missed message backfilling. + backfill: + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + # End-to-bridge encryption support options. You must install the e2be optional dependency for + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -142,52 +149,29 @@ bridge: # Require devices to be verified by the bridge? # Verification by the bridge is not yet implemented. require_verification: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Twitter. delivery_receipts: false - # Whether to allow inviting arbitrary mxids to portal rooms - allow_invites: false - # Settings for backfilling messages from Twitter. - backfill: - # Whether or not the Twitter users of logged in Matrix users should be - # invited to private chats when backfilling history from Twitter. This is - # usually needed to prevent rate limits and to allow timestamp massaging. - invite_own_puppet: true - # Maximum number of messages to backfill initially. - # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 - # Maximum number of messages to backfill if messages were missed while - # the bridge was disconnected. - # Set to 0 to disable backfilling missed messages. - missed_limit: 1000 - # If using double puppeting, should notifications be disabled - # while the initial backfill is in progress? - disable_notifications: false - periodic_reconnect: - # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Twitter stops sending messages. - # Set to -1 to disable periodic reconnections entirely. - interval: -1 - # What to do in periodic reconnects. Either "refresh" or "reconnect" - mode: refresh - # Should even disconnected users be reconnected? - always: false - # The number of seconds that a disconnection can last without triggering an automatic re-sync - # and missed message backfilling when reconnecting. - # Set to 0 to always re-sync, or -1 to never re-sync automatically. - resync_max_disconnected_time: 5 - # Whether or not temporary disconnections should send notices to the notice room. - # If this is false, disconnections will never send messages and connections will only send - # messages if it was disconnected for more than resync_max_disconnected_time seconds. + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Whether or not non-fatal polling errors should send notices to the notice room. temporary_disconnect_notices: true - # Whether or not the bridge should try to "refresh" the connection if a normal reconnection - # attempt fails. - refresh_on_reconnection_fail: false + # Number of seconds to sleep more than the previous error when a polling error occurs. + # Growth is capped at 15 minutes. + error_sleep: 5 + # Maximum number of polling errors before giving up. Set to -1 to retry forever. + max_poll_errors: 12 # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tw" + # Permissions for using the bridge. # Permitted values: # user - Use the bridge with puppeting. @@ -197,7 +181,9 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_twitter_homeserver_domain }}': user + "example.com": "user" + "@admin:example.com": "admin" + # Python logging configuration. # @@ -212,16 +198,20 @@ logging: normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-twitter.log + maxBytes: 10485760 + backupCount: 10 console: class: logging.StreamHandler formatter: colored loggers: mau: level: DEBUG - paho: - level: INFO aiohttp: level: INFO root: level: DEBUG - handlers: [console] + handlers: [file, console] From 68e6311a9f0f47138c379d5cbea5dbbc2781c0ce Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:29:12 +1000 Subject: [PATCH 053/202] Update mautrix-twitter config to be Jinja2 template Updates based off the variable names used in mautrix-facebook role. Also update port number in defauts/main.yml, and disable presence checking, because Twitter doesn't support that. --- .../defaults/main.yml | 4 +-- .../templates/config.yaml.j2 | 32 +++++++------------ 2 files changed, 13 insertions(+), 23 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 02eff778..ad162cae 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -19,7 +19,7 @@ matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_pa matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29319' +matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327' # A list of extra arguments to pass to the container matrix_mautrix_twitter_container_extra_arguments: [] @@ -72,8 +72,6 @@ matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitt matrix_mautrix_twitter_appservice_bot_username: twitterbot -matrix_mautrix_twitter_bridge_presence: true - # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index e4f6ba1f..2c10585d 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -1,9 +1,10 @@ +#jinja2: lstrip_blocks: "True" # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: https://example.com + address: {{ matrix_mautrix_twitter_homeserver_address }} # The domain of the homeserver (for MXIDs, etc). - domain: example.com + domain: {{ matrix_mautrix_twitter_homeserver_domain }} # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true @@ -13,7 +14,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: http://localhost:29327 + address: {{ matrix_mautrix_twitter_appservice_address }} # When using https:// the TLS certificate and key files for the address. tls_cert: false tls_key: false @@ -26,7 +27,7 @@ appservice: max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: postgres://username:password@hostname/db + database: {{ matrix_mautrix_twitter_appservice_database|to_json }} # Additional arguments for asyncpg.create_pool() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool database_opts: @@ -47,7 +48,7 @@ appservice: # The unique ID of this appservice. id: twitter # Username of the appservice bot. - bot_username: twitterbot + bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Twitter bridge bot @@ -65,8 +66,8 @@ appservice: ephemeral_events: false # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: "This value is generated when generating the registration" - hs_token: "This value is generated when generating the registration" + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -99,8 +100,7 @@ bridge: # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. - double_puppet_server_map: - example.com: https://example.com + double_puppet_server_map: {} # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users @@ -108,8 +108,7 @@ bridge: # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: - example.com: foo + login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: true @@ -181,8 +180,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - "example.com": "user" - "@admin:example.com": "admin" + '{{ matrix_mautrix_twitter_homeserver_domain }}': user # Python logging configuration. @@ -198,12 +196,6 @@ logging: normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: normal - filename: ./mautrix-twitter.log - maxBytes: 10485760 - backupCount: 10 console: class: logging.StreamHandler formatter: colored @@ -214,4 +206,4 @@ logging: level: INFO root: level: DEBUG - handlers: [file, console] + handlers: [console] From cb608c06aaaa876b19761a40bcef846669f10139 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 14:18:17 +1000 Subject: [PATCH 054/202] Remove references to sqlite Remove references to sqlite since we should just use postgres from the outset. --- .../defaults/main.yml | 10 ----- .../tasks/setup_install.yml | 40 ------------------- .../tasks/validate_config.yml | 21 ---------- 3 files changed, 71 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index ad162cae..ed81f2d4 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -36,19 +36,10 @@ matrix_mautrix_twitter_homeserver_token: '' # Database-related configuration fields. # -# To use SQLite: -# - change the engine (`matrix_mautrix_twitter_database_engine: 'sqlite'`) -# - change to the last bridge version that supported SQLite: -# `matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:da1b4ec596e334325a1589e70829dea46e73064b"` -# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). -# # To use Postgres: # - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables matrix_mautrix_twitter_database_engine: 'postgres' -matrix_mautrix_twitter_sqlite_database_path_local: "{{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" -matrix_mautrix_twitter_sqlite_database_path_in_container: "/data/mautrix-twitter.db" - matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' matrix_mautrix_twitter_database_password: 'some-password' matrix_mautrix_twitter_database_hostname: 'matrix-postgres' @@ -59,7 +50,6 @@ matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix matrix_mautrix_twitter_appservice_database: "{{ { - 'sqlite': ('sqlite:///' + matrix_mautrix_twitter_sqlite_database_path_in_container), 'postgres': matrix_mautrix_twitter_database_connection_string, }[matrix_mautrix_twitter_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index 41643972..c27eeccd 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -11,29 +11,6 @@ - set_fact: matrix_mautrix_twitter_requires_restart: false -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" - register: matrix_mautrix_twitter_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" - dst: "{{ matrix_mautrix_twitter_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_mautrix_twitter_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-mautrix-twitter.service'] - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_mautrix_twitter_requires_restart: true - when: "matrix_mautrix_twitter_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_mautrix_twitter_database_engine == 'postgres'" - - name: Ensure Mautrix Twitter image is pulled docker_image: name: "{{ matrix_mautrix_twitter_docker_image }}" @@ -76,23 +53,6 @@ pull: yes when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db" - register: matrix_mautrix_twitter_stat_database - -- name: (Data relocation) Ensure matrix-mautrix-twitter.service is stopped - service: - name: matrix-mautrix-twitter - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mautrix_twitter_stat_database.stat.exists" - -- name: (Data relocation) Move mautrix-twitter database file to ./data directory - command: "mv {{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db {{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" - when: "matrix_mautrix_twitter_stat_database.stat.exists" - - name: Ensure mautrix-twitter config.yaml installed copy: content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index a9e63fd0..4c95f7bf 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -8,24 +8,3 @@ with_items: - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" - -- block: - - name: Fail if on SQLite, unless on the last version supporting SQLite - fail: - msg: >- - You're trying to use the mautrix-twitter bridge with an SQLite database. - Going forward, this bridge only supports Postgres. - To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database - when: "not matrix_mautrix_twitter_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - - - name: Inject warning if still on SQLite - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your mautrix-twitter bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database" - ] - }} - when: "matrix_mautrix_twitter_database_engine == 'sqlite'" From 0f49ce06389f4c79fcb67d9933498a41c7bf820f Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:41:58 +1000 Subject: [PATCH 055/202] Set up vars for mautrix-twitter playbook * Copy/update mautrix_facebook group_vars to mautrix_twitter * Replace facebook -> twitter, fb -> twt, remove presence var * Enable playbook in setup.yml --- group_vars/matrix_servers | 45 +++++++++++++++++++++++++++++++++++++++ setup.yml | 1 + 2 files changed, 46 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f9763c56..c4caef04 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -511,6 +511,45 @@ matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_maca # ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-twitter +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_twitter_enabled: false + +matrix_mautrix_twitter_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_twitter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" + +matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" + +matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. +matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-twitter +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -1511,6 +1550,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_twitter_database_name, + 'username': matrix_mautrix_twitter_database_username, + 'password': matrix_mautrix_twitter_database_password, + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, diff --git a/setup.yml b/setup.yml index 42613d96..edd21205 100755 --- a/setup.yml +++ b/setup.yml @@ -20,6 +20,7 @@ - matrix-bridge-appservice-irc - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook + - matrix-bridge-mautrix-twitter - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram From 35033bbc0c2a9d232f3faa9e8763ba8fbf861afd Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:45:27 +1000 Subject: [PATCH 056/202] Update documentation to include mautrix-twitter Playbook config copied from mautrix-facebook and altered accordingly. --- README.md | 2 ++ ...iguring-playbook-bridge-mautrix-twitter.md | 35 +++++++++++++++++++ docs/configuring-playbook.md | 2 ++ docs/container-images.md | 2 ++ 4 files changed, 41 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-twitter.md diff --git a/README.md b/README.md index 6e1b5c14..59bd915e 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) +- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/) + - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) - (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md new file mode 100644 index 00000000..cfc14506 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -0,0 +1,35 @@ +# Setting up Mautrix Twitter (optional) + +The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. + +See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. + +```yaml +matrix_mautrix_twitter_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` + +## Usage + +1. You then need to start a chat with `@twitterbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +2. Send login-cookie to start the login. The bot should respond with instructions on how to proceed. + +You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). + +If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 243440dd..0f35325d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -102,6 +102,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) +- [Setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md) (optional) + - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 6fbb9205..18436c91 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) +- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional) + - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) - [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) From 2b83aeb87ed26ed1182e257ad80dfaef409dc065 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Tue, 9 Nov 2021 14:47:02 +1100 Subject: [PATCH 057/202] Update Mautrix-Twitter image path --- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index ed81f2d4..2d6b4b20 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tuli matrix_mautrix_twitter_version: latest # See: https://mau.dev/tulir/mautrix-twitter/container_registry -matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:{{ matrix_mautrix_twitter_version }}" +matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}" From 5be131054102398e20b7a825dd26d6de0021ef3e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 16:54:35 +0200 Subject: [PATCH 058/202] Upgrade Synapse (1.48.0 -> 1.49.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 40 +++++++++++++++++++ roles/matrix-synapse/vars/workers.yml | 4 +- 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e888ac92..d1d049d5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.48.0 -matrix_synapse_version_arm64: v1.48.0 +matrix_synapse_version: v1.49.0 +matrix_synapse_version_arm64: v1.49.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3e289b0c..1361eb9e 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1227,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # #session_lifetime: 24h +# Time that an access token remains valid for, if the session is +# using refresh tokens. +# For more information about refresh tokens, please see the manual. +# Note that this only applies to clients which advertise support for +# refresh tokens. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is 5 minutes. +# +#refreshable_access_token_lifetime: 5m + +# Time that a refresh token remains valid for (provided that it is not +# exchanged for another one first). +# This option can be used to automatically log-out inactive sessions. +# Please see the manual for more information. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is infinite. +# +#refresh_token_lifetime: 24h + +# Time that an access token remains valid for, if the session is NOT +# using refresh tokens. +# Please note that not all clients support refresh tokens, so setting +# this to a short value may be inconvenient for some users who will +# then be logged out frequently. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to existing sessions for users that have already logged in. +# +# By default, this is infinite. +# +#nonrefreshable_access_token_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8..1a279ad6 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ - - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ + - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$ From aef9a1ea1f5e08119b8434b8630212d3d36ae1d2 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Mon, 6 Dec 2021 11:54:31 +0800 Subject: [PATCH 059/202] GoMatrixHosting v0.6.7 --- roles/matrix-awx/tasks/purge_database_main.yml | 4 ++-- roles/matrix-awx/tasks/purge_media_main.yml | 4 ++-- roles/matrix-awx/tasks/self_check.yml | 2 ++ .../tasks/set_variables_dimension.yml | 4 ++-- roles/matrix-common-after/tasks/awx_post.yml | 18 +++++++++--------- 5 files changed, 17 insertions(+), 15 deletions(-) diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 1e16c4ad..f29061fb 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 59e0d89c..c836d16c 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,9 +21,9 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 510b9f9e..a7b0cb3a 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -50,12 +50,14 @@ - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_stat + async: 600 ignore_errors: yes no_log: True - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_stat + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 0db01c57..eee4e6f2 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of @_dimension user +- name: Collect access token of @admin-dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 278855fb..9c472ca3 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,11 +1,11 @@ --- -- name: Create user account @_janitor +- name: Create user account @admin-janitor command: | - /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool - no_log: True + no_log: false - name: Update AWX janitor user created variable delegate_to: 127.0.0.1 @@ -18,12 +18,12 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @_dimension +- name: Create user account @admin-dimension command: | - /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 @@ -36,12 +36,12 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @_mjolnir +- name: Create user account @admin-mjolnir command: | - /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 From 12832d8a686ec4283d62e62241f03d3c6b3553f7 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 18:05:52 +0530 Subject: [PATCH 060/202] jitsi update --- roles/matrix-jitsi/defaults/main.yml | 4 +- roles/matrix-jitsi/templates/jicofo/env.j2 | 4 ++ roles/matrix-jitsi/templates/jvb/env.j2 | 20 +++--- roles/matrix-jitsi/templates/prosody/env.j2 | 65 ++++++++++--------- roles/matrix-jitsi/templates/web/env.j2 | 58 ++++++++++------- .../templates/web/matrix-jitsi-web.service.j2 | 1 + 6 files changed, 90 insertions(+), 62 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index b1002a7f..3f61f4ff 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -8,6 +8,7 @@ matrix_jitsi_enable_recording: false matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true +matrix_jitsi_enable_breakout_rooms: true # Authentication type, must be one of internal, jwt or ldap. # Currently only internal and ldap mechanisms are supported by this playbook. @@ -67,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6726 +matrix_jitsi_version: stable-6726-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -76,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" +matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 687df714..1f2cb68c 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -9,6 +9,7 @@ ENABLE_CODEC_H264 ENABLE_OCTO ENABLE_RECORDING ENABLE_SCTP +ENABLE_AUTO_LOGIN JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS @@ -26,6 +27,9 @@ JIGASI_SIP_URI JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} MAX_BRIDGE_PARTICIPANTS OCTO_BRIDGE_SELECTION_STRATEGY +SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 6edae6d4..43569268 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,9 +1,6 @@ +DOCKER_HOST_ADDRESS ENABLE_COLIBRI_WEBSOCKET ENABLE_OCTO -DOCKER_HOST_ADDRESS -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} @@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} -JVB_ENABLE_APIS -JVB_WS_DOMAIN -JVB_WS_SERVER_ID -PUBLIC_URL={{ matrix_jitsi_web_public_url }} JVB_OCTO_BIND_ADDRESS JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION +JVB_WS_DOMAIN +JVB_WS_SERVER_ID +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +SENTRY_DSN="${JVB_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE +COLIBRI_REST_ENABLED +SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN= {{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 70feda6e..941f2c25 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,44 +1,24 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} +DISABLE_POLLS ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} ENABLE_XMPP_WEBSOCKET -GLOBAL_MODULES GLOBAL_CONFIG -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= -XMPP_INTERNAL_MUC_MODULES= -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_CROSS_DOMAIN=true +GLOBAL_MODULES +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JICOFO_COMPONENT_SECRET JIGASI_XMPP_USER= JIGASI_XMPP_PASSWORD= -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JWT_APP_ID JWT_APP_SECRET JWT_ACCEPTED_ISSUERS @@ -48,6 +28,19 @@ JWT_ALLOW_EMPTY JWT_AUTH_TYPE JWT_TOKEN_AUTH_MODULE LOG_LEVEL +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} TURN_HOST={{ matrix_jitsi_turn_host }} @@ -55,3 +48,13 @@ TURNS_HOST={{ matrix_jitsi_turns_host }} TURN_PORT={{ matrix_jitsi_turn_port }} TURNS_PORT={{ matrix_jitsi_turns_port }} TZ={{ matrix_jitsi_timezone }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} +XMPP_MUC_MODULES= +XMPP_INTERNAL_MUC_MODULES= +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +XMPP_CROSS_DOMAIN=true diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 2ff6befc..ac15c087 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,16 +1,3 @@ -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FLOC=0 -ENABLE_LETSENCRYPT=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_HSTS=0 -ENABLE_XMPP_WEBSOCKET -DISABLE_HTTPS=0 -DISABLE_DEEP_LINKING -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TZ={{ matrix_jitsi_timezone }} AMPLITUDE_ID ANALYTICS_SCRIPT_URLS ANALYTICS_WHITELISTED_EVENTS @@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE DEPLOYMENTINFO_REGION DEPLOYMENTINFO_SHARD DEPLOYMENTINFO_USERREGION +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX DIALIN_NUMBERS_URL DIALOUT_AUTH_URL DIALOUT_CODES_URL +DISABLE_AUDIO_LEVELS +DISABLE_DEEP_LINKING +DISABLE_HTTPS=0 +DISABLE_POLLS +DISABLE_REACTIONS DROPBOX_APPKEY DROPBOX_REDIRECT_URI DYNAMIC_BRANDING_URL ENABLE_AUDIO_PROCESSING ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_CALENDAR +ENABLE_COLIBRI_WEBSOCKET ENABLE_FILE_RECORDING_SERVICE ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_FLOC=0 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +ENABLE_HSTS=0 +ENABLE_HTTP_REDIRECT=0 ENABLE_IPV6 +ENABLE_LETSENCRYPT=0 ENABLE_LIPSYNC ENABLE_NO_AUDIO_DETECTION -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} +ENABLE_NOISY_MIC_DETECTION ENABLE_PREJOIN_PAGE +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} ENABLE_WELCOME_PAGE ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} @@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS ENABLE_TALK_WHILE_MUTED ENABLE_TCC ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ENABLE_XMPP_WEBSOCKET ETHERPAD_PUBLIC_URL ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} GOOGLE_ANALYTICS_ID GOOGLE_API_APP_CLIENT_ID INVITE_SERVICE_URL JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 MATOMO_ENDPOINT MATOMO_SITE_ID MICROSOFT_API_APP_CLIENT_ID @@ -68,29 +73,38 @@ NGINX_RESOLVER NGINX_WORKER_PROCESSES NGINX_WORKER_CONNECTIONS PEOPLE_SEARCH_URL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_WITH_AUDIO_MUTED -START_SILENT -DISABLE_AUDIO_LEVELS -ENABLE_NOISY_MIC_DETECTION +START_AUDIO_ONLY START_BITRATE -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX +START_SILENT +START_WITH_AUDIO_MUTED START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} START_WITH_VIDEO_MUTED TESTING_CAP_SCREENSHARE_BITRATE TESTING_OCTO_PROBABILITY +TOKEN_AUTH_URL +TZ={{ matrix_jitsi_timezone }} +VIDEOQUALITY_BITRATE_H264_LOW +VIDEOQUALITY_BITRATE_H264_STANDARD +VIDEOQUALITY_BITRATE_H264_HIGH +VIDEOQUALITY_BITRATE_VP8_LOW +VIDEOQUALITY_BITRATE_VP8_STANDARD +VIDEOQUALITY_BITRATE_VP8_HIGH +VIDEOQUALITY_BITRATE_VP9_LOW +VIDEOQUALITY_BITRATE_VP9_STANDARD +VIDEOQUALITY_BITRATE_VP9_HIGH +VIDEOQUALITY_ENFORCE_PREFERRED_CODEC +VIDEOQUALITY_PREFERRED_CODEC XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -TOKEN_AUTH_URL {{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 5d386361..35bfca67 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -23,6 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endif %} --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ + --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ {% for arg in matrix_jitsi_web_container_extra_arguments %} {{ arg }} \ {% endfor %} From 55860bf38fae7604468b60e1c87dfd4669e3047f Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 18:23:29 +0530 Subject: [PATCH 061/202] Jitsi update - sentry logging added --- roles/matrix-jitsi/templates/jicofo/logging.properties.j2 | 5 +++++ roles/matrix-jitsi/templates/jvb/logging.properties.j2 | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 index 7eba95af..3d1014a1 100644 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -1,4 +1,8 @@ +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -10,6 +14,7 @@ net.sf.level=SEVERE net.java.sip.communicator.plugin.reconnectplugin.level=FINE org.ice4j.level=SEVERE org.jitsi.impl.neomedia.level=SEVERE +io.sentry.jul.SentryHandler.level=WARNING # Do not worry about missing strings net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 48c1e9fa..97ac21f0 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,4 +1,8 @@ +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -8,6 +12,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB .level=INFO org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE +io.sentry.jul.SentryHandler.level=WARNING # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING From 8a0c7913be00c962be814bab46eac96047a87c42 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 15 Dec 2021 18:33:09 +0530 Subject: [PATCH 062/202] Grafana Updata (8.3.1 -> 8.3.3) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 37202d6d..f802d2e5 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.1 +matrix_grafana_version: 8.3.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 980c2b9a801ae93a90496135450fc27fe506c00a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 15 Dec 2021 18:35:13 +0530 Subject: [PATCH 063/202] Update coturn (4.5.2-r4 -> 4.5.2-r8) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b845e9ee..4d7ccf6b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2-r4 +matrix_coturn_version: 4.5.2-r8 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 42cd4d2c8d18bcd1b29b91935e8471321d56e2a6 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 20:14:47 +0530 Subject: [PATCH 064/202] crontab mount dir should exists --- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 4fdcc67b..d734be08 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -15,6 +15,7 @@ - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-web Docker image is pulled From 60592fd6a8c3d12878e058299850124c6e05689a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Dec 2021 21:22:29 +0200 Subject: [PATCH 065/202] Fix Jitsi logging.properties conditional being interpreted as Jinja code Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1464 --- roles/matrix-jitsi/templates/jicofo/logging.properties.j2 | 2 ++ roles/matrix-jitsi/templates/jvb/logging.properties.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 index 3d1014a1..f69d7848 100644 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -1,8 +1,10 @@ +{% raw %} {{ if .Env.SENTRY_DSN | default "0" | toBool }} handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler {{ else }} handlers= java.util.logging.ConsoleHandler {{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 97ac21f0..ff1d30a6 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,8 +1,10 @@ +{% raw %} {{ if .Env.SENTRY_DSN | default "0" | toBool }} handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler {{ else }} handlers= java.util.logging.ConsoleHandler {{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter From 2579f6f49b7847a5ff1c54964e0343d050e4bdd4 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Thu, 16 Dec 2021 07:51:27 +0800 Subject: [PATCH 066/202] add new defaults for AWX section --- roles/matrix-awx/defaults/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml index fb9f56ae..1b61797e 100755 --- a/roles/matrix-awx/defaults/main.yml +++ b/roles/matrix-awx/defaults/main.yml @@ -1 +1,6 @@ matrix_awx_enabled: true + +# Defaults for 'Customise Website + Access Export' template +awx_sftp_auth_method: 'Disabled' +awx_sftp_password: '' +awx_sftp_public_key: '' From 2430c14869697148ebfc3b4442b77677b78cbe57 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 16 Dec 2021 22:33:23 +0530 Subject: [PATCH 067/202] Create ansible-lint.yml avoiding common pitfalls that can easily lead to bugs or make code harder to maintain --- .github/workflows/ansible-lint.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml new file mode 100644 index 00000000..ec7fddef --- /dev/null +++ b/.github/workflows/ansible-lint.yml @@ -0,0 +1,19 @@ +name: Ansible Lint + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) + targets: "./" + + args: "-x metadata, formatting" From 45119ea9dfbba2df79c01ec0d2ba09f001c0e23d Mon Sep 17 00:00:00 2001 From: Alexander Bersenev Date: Fri, 17 Dec 2021 05:47:47 +0500 Subject: [PATCH 068/202] Remove a space from XMPP_INTERNAL_MUC_DOMAIN The domain is invalid with space, so it shouldn't be here --- roles/matrix-jitsi/templates/jvb/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 43569268..41d343b3 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -25,7 +25,7 @@ COLIBRI_REST_ENABLED SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN= {{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} From 4625b34acca15f1403709e9e203802d57e49f92c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:18:18 +0200 Subject: [PATCH 069/202] Fix failure trying to stop orphaned systemd services Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 --- roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml index 4a90bfa6..d0440d22 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml @@ -8,6 +8,7 @@ name: "{{ item.key }}" state: stopped with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" + when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 - name: Find worker configs to be cleaned find: From fa704f104bf9c9f0df07fd3297e371d030c58dfb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:30:21 +0200 Subject: [PATCH 070/202] Add support for using custom ACME CA servers (other than Let's Encrypt') Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1468 --- roles/matrix-nginx-proxy/defaults/main.yml | 7 +++++++ .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 ++ 2 files changed, 9 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a2a2a6b9..a2584ec7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -442,7 +442,14 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. +# If you'd like to use another ACME certificate server (not Let's Encrypt), see `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false + +# Controls the server used to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (see `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server +matrix_ssl_lets_encrypt_server: '' + matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 4639f122..d4aab6e4 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -42,6 +42,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http @@ -70,6 +71,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http From afd7f03bb5f541e1e63d48b1ce66e9183b257eca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:30:40 +0200 Subject: [PATCH 071/202] Minor comment changes --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a2584ec7..7eeb39ff 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -442,11 +442,11 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. -# If you'd like to use another ACME certificate server (not Let's Encrypt), see `matrix_ssl_lets_encrypt_server` +# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false -# Controls the server used to retrieve the SSL certificates (passed as a `--server` flag to Certbot). -# By default, we use the Let's Encrypt production environment (see `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' From 0080e4e40944d251c1613c4636a710fdd9ffe2ef Mon Sep 17 00:00:00 2001 From: sakkiii Date: Fri, 17 Dec 2021 21:03:20 +0530 Subject: [PATCH 072/202] Update ansible-lint version to 5.3.1 --- .github/workflows/ansible-lint.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index ec7fddef..32b1b977 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -11,9 +11,12 @@ jobs: - uses: actions/checkout@v2 - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@master + uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc with: # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) targets: "./" + override-deps: | + ansible-lint==5.3.1 + args: "-x metadata, formatting" From e8237ea37e8e51ae19c07b2577647d948ede29eb Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Fri, 17 Dec 2021 15:23:44 -0500 Subject: [PATCH 073/202] Update synapse-admin to newest tagged release --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 069b6279..6d20d20f 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.1 +matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 01b6bba9d7196701c42562e6525518613db55efc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:52:06 +0200 Subject: [PATCH 074/202] Make Synapse's url_preview_accept_language default to 'en-US, en' Related to https://github.com/matrix-org/synapse/issues/11604 Getting an upstream fix is preferable. In any case, it's probably nice to have this defined explicitly in our configuration. This way, people can more easily discover that they can override the URL preview language. --- roles/matrix-synapse/defaults/main.yml | 3 +++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d1d049d5..d2d04841 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true # URLs shared by users. matrix_synapse_url_preview_enabled: true +# A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation +matrix_url_preview_accept_language: ['en-US', 'en'] + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1361eb9e..e384853c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1149,8 +1149,7 @@ max_spider_size: 10M # - fr;q=0.8 # - *;q=0.7 # -url_preview_accept_language: -# - en +url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }} ## Captcha ## From dad1a23aa85fe11f89d16de6aec7f83a1985d134 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 20 Dec 2021 17:44:08 +0100 Subject: [PATCH 075/202] Update Element version (v1.9.7 -> v1.9.8) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 28412a26..7853292a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.7 +matrix_client_element_version: v1.9.8 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 06f3b813d617c17d1d93e96dab4ed94ffc5f298d Mon Sep 17 00:00:00 2001 From: Wm Salt Hale Date: Mon, 20 Dec 2021 10:50:05 -0800 Subject: [PATCH 076/202] added .well-known path to Caddy2 example, closes #1442 --- examples/caddy2/Caddyfile | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index c6d2841b..6370cb01 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -27,6 +27,10 @@ matrix.DOMAIN.tld { not path /matrix/static-files/* } + @wellknown { + path /.well-known/matrix/* + } + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -69,6 +73,15 @@ matrix.DOMAIN.tld { } } + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + handle { encode zstd gzip @@ -102,17 +115,17 @@ element.DOMAIN.tld { # tls your@email.com header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } handle { encode zstd gzip From 2d49b950064655f62ab133ed958b945e5899bb6b Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Mon, 20 Dec 2021 16:55:15 -0500 Subject: [PATCH 077/202] missing uppercase in bot name --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index db57bd0d..ac14754c 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -43,7 +43,7 @@ appservice: bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. - bot_displayname: instagram bridge bot + bot_displayname: Instagram bridge bot bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv # Community ID for bridged users (changes registration file) and rooms. From 87bc9bd146f4e04b8c87be6f4e0a40b685aa21dd Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Mon, 20 Dec 2021 23:36:05 -0600 Subject: [PATCH 078/202] Update validate_config.yml --- .../tasks/validate_config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 4c95f7bf..1c2a52d4 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -8,3 +8,11 @@ with_items: - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_twitter_database_engine" From 25ced724ace25ec8392ebab220f6094bad842a7d Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Mon, 20 Dec 2021 23:38:54 -0600 Subject: [PATCH 079/202] Update matrix_servers --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c4caef04..69917747 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -541,7 +541,7 @@ matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_prov # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. -matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" ###################################################################### From 6a9775520baec57e0729e41197dc04e95bf8edb9 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:13:08 -0600 Subject: [PATCH 080/202] Update validate_config.yml --- roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 1c2a52d4..114fd2cf 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -9,7 +9,7 @@ - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" -- name: Fail if required settings not defined +- name: Fail if database is not defined fail: msg: >- You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables From cddbb1ffa0bf03ae5eae9f0e506cccded58689f3 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:27:45 -0600 Subject: [PATCH 081/202] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 2c10585d..b03c77f4 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -124,10 +124,10 @@ bridge: invite_own_puppet: true # Maximum number of messages to backfill initially. # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 + initial_limit: 100 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: false + disable_notifications: true # End-to-bridge encryption support options. You must install the e2be optional dependency for # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: From 3509f648af5f03e0a8c0e1ed3e5682725f03576e Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:28:55 -0600 Subject: [PATCH 082/202] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index db57bd0d..760d6162 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -132,7 +132,7 @@ bridge: missed_limit: 1000 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: false + disable_notifications: true periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. # This can be used to automatically mitigate the bug where Instagram stops sending messages. From 6c9f6c28deb86fea74fa9432ee028bda2575ff96 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 21 Dec 2021 14:15:13 +0100 Subject: [PATCH 083/202] Update Synapse from 1.49.0 to 1.49.1 This update fixes a sync issue that would cause some users to experience sync issues that could cause initial sync to completely fail. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d2d04841..2d030b7d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.0 -matrix_synapse_version_arm64: v1.49.0 +matrix_synapse_version: v1.49.1 +matrix_synapse_version_arm64: v1.49.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From eb0c332f807ebe383d39ca7182fc8e13ab80aeb2 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 21 Dec 2021 19:29:56 +0100 Subject: [PATCH 084/202] Update Synapse Version from 1.49.1 to 1.49.2 This upgrade is technically not needed due to 1.49.1 and 1.49.2 being identical with a lone fix to Debian packaging being the only change. Still some might want us to be on the absolutely latest version even tho these 2 are practically identical. ARM64 has yet to be built so this has to wait for that before merge. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 2d030b7d..4e69ecd7 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.1 -matrix_synapse_version_arm64: v1.49.1 +matrix_synapse_version: v1.49.2 +matrix_synapse_version_arm64: v1.49.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From ed0fcd618cf4d17c94394e4a787b3481a27c9f1d Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 21:37:09 -0600 Subject: [PATCH 085/202] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index b03c77f4..9bfa3123 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -124,7 +124,7 @@ bridge: invite_own_puppet: true # Maximum number of messages to backfill initially. # Set to 0 to disable backfilling when creating portal. - initial_limit: 100 + initial_limit: 0 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? disable_notifications: true From f6f81a85de3c03c2db7534171e389deb09c1360a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Dec 2021 15:27:35 +0200 Subject: [PATCH 086/202] Enable notifications during backfill .. as per the default bridge config. Source: https://github.com/mautrix/twitter/blob/f848710c01a75f4357508552fa63499cba2839e4/mautrix_twitter/example-config.yamll#L147 --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index cea15748..ac14754c 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -132,7 +132,7 @@ bridge: missed_limit: 1000 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: true + disable_notifications: false periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. # This can be used to automatically mitigate the bug where Instagram stops sending messages. From e834a69e60cfa383d26426ec0631a201a3c64656 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Dec 2021 15:53:53 +0200 Subject: [PATCH 087/202] Announce mautrix-twitter support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1478 --- CHANGELOG.md | 7 +++++++ docs/configuring-playbook-bridge-mautrix-twitter.md | 2 ++ docs/configuring-playbook-bridge-mx-puppet-twitter.md | 2 ++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6d15b96..1d7331e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2021-12-22 + +## Twitter bridging support via mautrix-twitter + +Thanks to [Matthew Cengia](https://github.com/mattcen) and [Shreyas Ajjarapu](https://github.com/shreyasajj), besides [mx-puppet-twitter](docs/configuring-playbook-bridge-mx-puppet-twitter.md), bridging to [Twitter](https://twitter.com/) can now also happen with [mautrix-twitter](docs/configuring-playbook-bridge-mautrix-twitter.md). + + # 2021-12-14 ## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md index cfc14506..93eb8901 100644 --- a/docs/configuring-playbook-bridge-mautrix-twitter.md +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -1,5 +1,7 @@ # Setting up Mautrix Twitter (optional) +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. + The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-mx-puppet-twitter.md b/docs/configuring-playbook-bridge-mx-puppet-twitter.md index dd2c9c12..cd3dd39c 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-twitter.md +++ b/docs/configuring-playbook-bridge-mx-puppet-twitter.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Twitter (optional) +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mautrix-twitter](configuring-playbook-bridge-mautrix-twitter.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) for you. From 061d6ac86fbf1ec7141d4cbc1261895ed93bd6a8 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Wed, 22 Dec 2021 19:04:21 +0200 Subject: [PATCH 088/202] Upgrade Heisenbridge (1.7.1 -> 1.8.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index cd5a0858..d8b19d1e 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.7.1 +matrix_heisenbridge_version: 1.8.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From e88530abac589452282872d925514c800b03dadf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 12:01:46 +0200 Subject: [PATCH 089/202] Upgrade devture/ansible (2.10.7-r0 -> 2.11.6-r1) --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 50251540..50cf83ed 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -51,7 +51,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.10.7-r0 +docker.io/devture/ansible:2.11.6-r1 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From dcab14d9a86249ad0af2bea63b38023365cb2eaf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 13:03:31 +0200 Subject: [PATCH 090/202] Add self-building support to Beeper LinkedIn bridge Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1480 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1242 --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 + .../defaults/main.yml | 12 +++- .../tasks/setup_install.yml | 60 +++++++++++++++---- 4 files changed, 62 insertions(+), 13 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index 9ff28e4c..9bf435c0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -24,6 +24,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` - `matrix-bridge-appservice-webhooks` +- `matrix-bridge-beeper-linkedin` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-googlechat` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 69917747..8edcd6ba 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -229,6 +229,8 @@ matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaro # We don't enable bridges by default. matrix_beeper_linkedin_enabled: false +matrix_beeper_linkedin_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 8df6c38f..87561ff5 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -4,13 +4,21 @@ matrix_beeper_linkedin_enabled: true matrix_beeper_linkedin_version: v0.5.1 + # See: https://gitlab.com/beeper/linkedin/container_registry -matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" -matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" +matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" +matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image_tag.startswith('latest') }}" +matrix_beeper_linkedin_docker_image_name_prefix: "{{ 'localhost/' if matrix_beeper_linkedin_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_beeper_linkedin_docker_image_tag: "{{ 'latest' if matrix_beeper_linkedin_version == 'master' else matrix_beeper_linkedin_version }}-{{ matrix_architecture }}" + +matrix_beeper_linkedin_container_image_self_build: false +matrix_beeper_linkedin_container_image_self_build_repo: "https://gitlab.com/beeper/linkedin" +matrix_beeper_linkedin_container_image_self_build_branch: "{{ matrix_beeper_linkedin_version }}" matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin" matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config" matrix_beeper_linkedin_data_path: "{{ matrix_beeper_linkedin_base_path }}/data" +matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_path }}/docker-src" matrix_beeper_linkedin_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 97d05a45..c873d0c2 100644 --- a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -7,6 +7,20 @@ msg: >- The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure Beeper LinkedIn paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_beeper_linkedin_base_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_config_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_data_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_docker_src_files_path }}", when: "{{ matrix_beeper_linkedin_container_image_self_build }}" } + when: "item.when|bool" + - name: Ensure Beeper LinkedIn image is pulled docker_image: @@ -14,18 +28,42 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_beeper_linkedin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_docker_image_force_pull }}" + when: "not matrix_beeper_linkedin_container_image_self_build|bool" -- name: Ensure Beeper LinkedIn paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_beeper_linkedin_base_path }}" - - "{{ matrix_beeper_linkedin_config_path }}" - - "{{ matrix_beeper_linkedin_data_path }}" +- block: + - name: Ensure Beeper LinkedIn repository is present on self-build + git: + repo: "{{ matrix_beeper_linkedin_container_image_self_build_repo }}" + dest: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + version: "{{ matrix_beeper_linkedin_container_image_self_build_branch }}" + force: "yes" + register: matrix_beeper_linkedin_git_pull_results + + # Building the container image (using the default Dockerfile) requires that a docker-requirements.txt file be generated. + # See: https://gitlab.com/beeper/linkedin/-/blob/94442db17ccb9769b377cdb8e4bf1cb3955781d7/.gitlab-ci.yml#L30-40 + - name: Ensure docker-requirements.txt is generated before building Beeper LinkedIn Docker Image + command: | + {{ matrix_host_command_docker }} run \ + --rm \ + --entrypoint=/bin/sh \ + --mount type=bind,src={{ matrix_beeper_linkedin_docker_src_files_path }},dst=/work \ + -w /work \ + docker.io/python:3.9.6-buster \ + -c "pip install poetry && poetry export --without-hashes -E e2be -E images -E metrics | sed 's/==.*//g' > docker-requirements.txt" + + - name: Ensure Beeper LinkedIn Docker image is built + docker_image: + name: "{{ matrix_beeper_linkedin_docker_image }}" + source: build + force_source: "{{ matrix_beeper_linkedin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + pull: yes + args: + TARGETARCH: "{{ matrix_architecture }}" + when: "matrix_beeper_linkedin_container_image_self_build|bool" - name: Ensure beeper-linkedin config.yaml installed copy: From 26ec3ca1b54accdb944c5cd5fc5a732c23ce41a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Dec 2021 10:48:06 +0200 Subject: [PATCH 091/202] Link to examples/caddy2 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1484 --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index fb970ef0..c7e56f14 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -64,7 +64,7 @@ Once you've followed the [Preparation](#preparation) guide above, you can take a ### Using your own external caddy webserver -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration. +After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively. ### Using your own HAproxy reverse proxy After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files. From 5df486f31eca1ffe811946ce377487bd2bd1bb85 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Sat, 25 Dec 2021 18:05:41 +0200 Subject: [PATCH 092/202] Upgrade Heisenbridge (1.8.0 -> 1.8.2) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index d8b19d1e..ef2ba48b 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.8.0 +matrix_heisenbridge_version: 1.8.2 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 0715104886cc694397e5fcef6fac7975eea563da Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Mon, 27 Dec 2021 13:55:02 +0100 Subject: [PATCH 093/202] lint whitespace from ansible-lint.yml --- .github/workflows/ansible-lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 32b1b977..2f103ff7 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -4,7 +4,7 @@ on: [push, pull_request] jobs: build: - + runs-on: ubuntu-latest steps: @@ -18,5 +18,5 @@ jobs: override-deps: | ansible-lint==5.3.1 - + args: "-x metadata, formatting" From 297ed9ce3671789d132453c6dd5762976c70c9e7 Mon Sep 17 00:00:00 2001 From: Alejo Diaz Date: Mon, 27 Dec 2021 14:20:23 -0300 Subject: [PATCH 094/202] Add encryption_enabled_by_default_for_room_type This commit simply add encryption_enabled_by_default_for_room_type variable. Signed-off-by: Alejo Diaz --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 4e69ecd7..ce5235d3 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -580,6 +580,8 @@ matrix_synapse_default_room_version: "6" # If not, you can also control its value manually. matrix_synapse_spam_checker: [] +matrix_synapse_encryption_enabled_by_default_for_room_type: off + matrix_synapse_trusted_key_servers: - server_name: "matrix.org" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e384853c..2e82ea3b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2651,7 +2651,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -#encryption_enabled_by_default_for_room_type: invite +encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type }} # Uncomment to allow non-server-admin users to create groups on this server From 280c6c5424365c207ad10915cd1834260f423ea2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Dec 2021 21:45:13 +0200 Subject: [PATCH 095/202] Add |to_json --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 2e82ea3b..5d7502fd 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2651,7 +2651,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type }} +encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type|to_json }} # Uncomment to allow non-server-admin users to create groups on this server From 56e9ff1740cfd7bfa9c9e3346e7df3941b9cf1da Mon Sep 17 00:00:00 2001 From: SierraKiloBravo <65400576+SierraKiloBravo@users.noreply.github.com> Date: Tue, 28 Dec 2021 11:40:22 +0100 Subject: [PATCH 096/202] Added defaults and edited config template for mautrix-telegram, allowing editing of MXID/displayname templates for bridged users --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 5 +++++ .../templates/config.yaml.j2 | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 45a7d6e8..1995a7b7 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -130,3 +130,8 @@ matrix_mautrix_telegram_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" + +# Templates for defining MXID's and displaynames for users and rooms. +matrix_mautrix_telegram_username_template: 'telegram_{userid}' +matrix_mautrix_telegram_alias_template: 'telegram_{groupname}' +matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)' diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 39a18462..9492d79e 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -69,13 +69,16 @@ appservice: bridge: # Localpart template of MXIDs for Telegram users. # {userid} is replaced with the user ID of the Telegram user. - username_template: "telegram_{userid}" + # Default: telegram_{userid} + username_template: {{ matrix_mautrix_telegram_username_template|to_json }} # Localpart template of room aliases for Telegram portal rooms. # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) - alias_template: "telegram_{groupname}" + # Default: telegram_{groupname} + alias_template: {{ matrix_mautrix_telegram_alias_template|to_json }} # Displayname template for Telegram users. # {displayname} is replaced with the display name of the Telegram user. - displayname_template: "{displayname} (Telegram)" + # Default: {displayname} (Telegram) + displayname_template: {{ matrix_mautrix_telegram_displayname_template|to_json }} # Set the preferred order of user identifiers which to use in the Matrix puppet display name. # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user From 1066baed38516a570315e9af96f4376c5e6ff0b4 Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Tue, 28 Dec 2021 13:43:22 +0100 Subject: [PATCH 097/202] Upgrade etherpad to 1.8.16 Extend the config template with the lines added in the past year --- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-etherpad/templates/settings.json.j2 | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 45f8f8b2..f04d8589 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_version: 1.8.12 +matrix_etherpad_version: 1.8.16 matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 377bad98..573b445d 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -46,6 +46,8 @@ "maxHttpBufferSize": 10000 }, "loadTest": false, + "dumpOnUncleanExit": false, + "indentationOnNewLine": false, "importExportRateLimiting": { "windowMs": 90000, "max": 10 @@ -101,5 +103,6 @@ } ] }, - "customLocaleStrings": {} + "customLocaleStrings": {}, + "enableAdminUITests": false } From c2f3586ac6351ee6864b132d02b70d4427da9b7f Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Thu, 9 Dec 2021 18:31:40 +0100 Subject: [PATCH 098/202] switch appservice-webhooks fork turt2live/matrix-appservice-webhooks -> redoonetworks/matrix-appservice-webhooks --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index bc9ae8b4..22f68040 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -1,15 +1,15 @@ # matrix-appservice-webhooks is a Matrix <-> webhook bridge -# See: https://github.com/turt2live/matrix-appservice-webhooks +# See: https://github.com/redoonetworks/matrix-appservice-webhooks matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_container_image_self_build: false -matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks" +matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/redoonetworks/matrix-appservice-webhooks" matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From cdf76bdbb73dc1e675166bb0d10f58639d191a54 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Wed, 29 Dec 2021 21:05:41 +0200 Subject: [PATCH 099/202] Upgrade Heisenbridge (1.8.2 -> 1.9.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index ef2ba48b..5d393a81 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.8.2 +matrix_heisenbridge_version: 1.9.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 948c4111069f2d7689eeb23d261b1062bcd38bd0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Dec 2021 10:47:06 +0200 Subject: [PATCH 100/202] Remove sudo requirement for generating SSL certificates Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1492 --- .../ssl/setup_ssl_self_signed_obtain_for_domain.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index aea17cc0..ff7fa2d8 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -37,6 +37,13 @@ -keyout {{ matrix_ssl_certificate_cert_key_path }} \ -out {{ matrix_ssl_certificate_cert_path }} \ -days 3650 - become: true - become_user: "{{ matrix_user_username }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + +- name: Adjust SSL certificate file ownership + file: + path: "{{ item }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_ssl_certificate_cert_key_path }}" + - "{{ matrix_ssl_certificate_cert_path }}" From 993121e517ad74548d20ef4d0de1db41930acb22 Mon Sep 17 00:00:00 2001 From: Jim Myhrberg Date: Sat, 1 Jan 2022 03:08:00 +0000 Subject: [PATCH 101/202] feat(etherpad): add optional admin web-UI access Enables optional access to Etherpad's web-UI. This is useful for managing Etherpad plugins. Among other things, plugins makes it easy to manage/delete pads if you install the adminpads2 plugin. --- docs/configuring-playbook-etherpad.md | 17 +++++++++++++++++ roles/matrix-etherpad/defaults/main.yml | 5 +++++ .../matrix-etherpad/templates/settings.json.j2 | 8 ++++++++ 3 files changed, 30 insertions(+) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index e5533e71..4c38bb3c 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -25,6 +25,23 @@ The Dimension administrator users can configure the default URL template. The Di If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` +### Etherpad Admin access (optional) + +Etherpad comes with a admin web-UI which is disabled by default. You can enable it by setting a username and password in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_etherpad_admin_username: admin +matrix_etherpad_admin_password: some-password +``` + +The admin web-UI should then be available on: `https://dimension./etherpad/admin` + +### Managing / Deleting old pads + +If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. + +Then from the plugin manager page (`https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. + ## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index f04d8589..bcabc3dd 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -41,6 +41,11 @@ matrix_etherpad_database_hostname: 'matrix-postgres' matrix_etherpad_database_port: 5432 matrix_etherpad_database_name: 'matrix_etherpad' +# If a admin username and password is set, the /admin web page will be +# available. +matrix_etherpad_admin_username: '' +matrix_etherpad_admin_password: '' + matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' # Variables configuring the etherpad diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 573b445d..01127a91 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -71,6 +71,14 @@ "chatAndUsers": false, "lang": "en-gb" }, +{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} + "users": { + "{{ matrix_etherpad_admin_username }}": { + "password": "{{ matrix_etherpad_admin_password }}", + "is_admin": true + } + }, +{% endif %} "padShortcutEnabled" : { "altF9": true, "altC": true, From bc5efa0dbccf1202b936145b9f50947b9802e759 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sun, 2 Jan 2022 10:54:51 +0100 Subject: [PATCH 102/202] Remove Jitsi web interface_config.js in favour of custom-interface_config.js As of docker-jitsi-meet stable-6433 [1], `/config/interface_config.js` is regenerated on every boot. The correct way to modify the interface config is now via `/config/custom-interface_config.js`, which is appended to a default copy of `interface_config.js` by `/etc/cont-init.d/10-config` on every boot of the docker image. Given that `interface_config.js` is considered deprecated by upstream (all options will eventually be moved to `config.js`), we also deprecate the `matrix_jitsi_web_interface_config_*` variables in favour of `matrix_jitsi_web_custom_interface_config_extension`. [1] https://github.com/jitsi/docker-jitsi-meet/blob/stable-6433/CHANGELOG.md#stable-6433 --- roles/matrix-jitsi/defaults/main.yml | 27 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-jitsi/tasks/validate_config.yml | 13 + .../web/custom-interface_config.js.j2 | 3 + .../templates/web/interface_config.js.j2 | 295 ------------------ 5 files changed, 21 insertions(+), 319 deletions(-) create mode 100644 roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 delete mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 3f61f4ff..33dad388 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -108,37 +108,18 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] -# Some variables controlling the interface of Jitsi Web. -# These get applied to `templates/web/interface_config.js.j2`. -# -# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` -# to define any other configuration option. -matrix_jitsi_web_interface_config_lang_detection: false -matrix_jitsi_web_interface_config_show_jitsi_watermark: true -matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" -matrix_jitsi_web_interface_config_show_brand_watermark: false -matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true -matrix_jitsi_web_interface_config_display_welcome_page_content: true -matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_show_powered_by: false -matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jitsi_web_interface_config_show_deep_linking_image: false - -# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. -# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. # # Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. # # For interface configuration, the flow is like this: -# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - a default `interface_config.js` is generated from within the docker image # - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. # # Example: # matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.LANG_DETECTION = false; +# interfaceConfig.SHOW_JITSI_WATERMARK = false; # interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; matrix_jitsi_web_custom_interface_config_extension: '' diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index d734be08..bcb1b49e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -40,7 +40,7 @@ mode: 0644 with_items: - custom-config.js - - interface_config.js + - custom-interface_config.js when: matrix_jitsi_enabled|bool - name: Ensure matrix-jitsi-web.service installed diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index a9d86764..4defe986 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -54,3 +54,16 @@ - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} + - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': ' Date: Mon, 3 Jan 2022 00:59:52 +0000 Subject: [PATCH 103/202] Update links to Mautrix Twitter bridge Signed-off-by: Aaron Raimist --- docs/configuring-playbook-bridge-mautrix-twitter.md | 10 ++++------ docs/container-images.md | 2 +- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 4 ++-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md index 93eb8901..3d5b49cf 100644 --- a/docs/configuring-playbook-bridge-mautrix-twitter.md +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -2,9 +2,9 @@ **Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. -The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. +The playbook can install and configure [mautrix-twitter](https://github.com/mautrix/twitter) for you. -See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/mautrix/twitter) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_twitter_enabled: true @@ -13,7 +13,7 @@ matrix_mautrix_twitter_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -23,7 +23,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac ### Method 2: manually, by asking each user to provide a working access token -This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/mautrix/twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` ## Usage @@ -32,6 +32,4 @@ This method is currently not available for the Mautrix-Twitter bridge, but is on You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). -If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. - After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/container-images.md b/docs/container-images.md index 18436c91..d52f3fdd 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,7 +46,7 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) -- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional) +- [mautrix/twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/mautrix/twitter) bridge to [Twitter](https://twitter.com/) (optional) - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 2d6b4b20..826bc4b6 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -1,10 +1,10 @@ # mautrix-twitter is a Matrix <-> Twitter bridge -# See: https://github.com/tulir/mautrix-twitter +# See: https://github.com/mautrix/twitter matrix_mautrix_twitter_enabled: true matrix_mautrix_twitter_container_image_self_build: false -matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git" +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_version: latest # See: https://mau.dev/tulir/mautrix-twitter/container_registry From c0f7c39f7dee36f536389faa707856d260185462 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Mon, 3 Jan 2022 18:29:13 +0100 Subject: [PATCH 104/202] s/plabook/playbook --- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-etherpad/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 0584e624..f6aada6d 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -44,7 +44,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index a42e14c9..7f49e8b6 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -37,7 +37,7 @@ msg: >- Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml index c12fcd3c..5c8d82bf 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 6cc194fe..59756ec9 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 84ac86d0..bf903a57 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index f484c687..74ec0350 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 06cf83fa..2054d23c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 5b8f5ef6..c94e0817 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -8,7 +8,7 @@ msg: >- Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-etherpad role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 5ab93910..47220103 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-registration role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index e1912871..fccc9dfa 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. when: matrix_nginx_proxy_role_executed|default(False)|bool From f0d7a8e99d0210ab62aa3dd1f387fff70bacab74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 09:18:31 +0200 Subject: [PATCH 105/202] Use to_json --- roles/matrix-etherpad/templates/settings.json.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 01127a91..0a240f3e 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -73,8 +73,8 @@ }, {% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} "users": { - "{{ matrix_etherpad_admin_username }}": { - "password": "{{ matrix_etherpad_admin_password }}", + {{ matrix_etherpad_admin_username|to_json }}: { + "password": {{ matrix_etherpad_admin_password|to_json }}, "is_admin": true } }, From 8515ac55e63a77cda8fcbf841541c5fb7d7a2381 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:04:01 +0200 Subject: [PATCH 106/202] Upgrade nginx (1.21.4 -> 1.21.5) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7eeb39ff..27b0b42d 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.4-alpine +matrix_nginx_proxy_version: 1.21.5-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From b1b4ba501fdfaa434dac8a981cec9ac0311ca4ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:21:02 +0200 Subject: [PATCH 107/202] Replace ExecStop with ExecStopPost ExecStopPost should allow us to clean up (docker kill + docker rm) even if the ExecStart (docker run ..) command failed, and not just after a graceful service stop was initiated. Source: https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStopPost= --- .../templates/systemd/matrix-bot-go-neb.service.j2 | 4 ++-- .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 4 ++-- .../templates/systemd/matrix-bot-mjolnir.service.j2 | 4 ++-- .../systemd/matrix-appservice-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-irc.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-slack.service.j2 | 4 ++-- .../systemd/matrix-appservice-webhooks.service.j2 | 4 ++-- .../templates/systemd/matrix-beeper-linkedin.service.j2 | 4 ++-- .../templates/systemd/matrix-heisenbridge.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 4 ++-- .../systemd/matrix-mautrix-googlechat.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-instagram.service.j2 | 4 ++-- .../systemd/matrix-mautrix-signal-daemon.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-signal.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-groupme.service.j2 | 4 ++-- .../systemd/matrix-mx-puppet-instagram.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-sms-bridge.service.j2 | 4 ++-- .../templates/systemd/matrix-client-element.service.j2 | 4 ++-- .../templates/systemd/matrix-client-hydrogen.service.j2 | 4 ++-- .../templates/systemd/matrix-corporal.service.j2 | 4 ++-- .../templates/systemd/matrix-coturn.service.j2 | 4 ++-- .../templates/systemd/matrix-dimension.service.j2 | 4 ++-- .../templates/systemd/matrix-dynamic-dns.service.j2 | 4 ++-- .../templates/systemd/matrix-email2matrix.service.j2 | 4 ++-- .../templates/systemd/matrix-etherpad.service.j2 | 6 +++--- .../templates/systemd/matrix-grafana.service.j2 | 4 ++-- .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 4 ++-- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 4 ++-- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- .../templates/web/matrix-jitsi-web.service.j2 | 4 ++-- .../templates/systemd/matrix-ma1sd.service.j2 | 4 ++-- .../templates/systemd/matrix-mailer.service.j2 | 4 ++-- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres-backup.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- .../systemd/matrix-prometheus-node-exporter.service.j2 | 4 ++-- .../matrix-prometheus-postgres-exporter.service.j2 | 6 +++--- .../templates/systemd/matrix-prometheus.service.j2 | 4 ++-- .../templates/systemd/matrix-redis.service.j2 | 4 ++-- .../templates/systemd/matrix-registration.service.j2 | 4 ++-- .../templates/systemd/matrix-sygnal.service.j2 | 4 ++-- .../templates/systemd/matrix-synapse-admin.service.j2 | 4 ++-- .../templates/goofys/systemd/matrix-goofys.service.j2 | 8 ++++---- .../synapse/systemd/matrix-synapse-worker.service.j2 | 4 ++-- .../templates/synapse/systemd/matrix-synapse.service.j2 | 4 ++-- 54 files changed, 112 insertions(+), 112 deletions(-) diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index eabf1137..056447eb 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -39,8 +39,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ {{ matrix_bot_go_neb_docker_image }} \ -c "go-neb /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index b1fe3c32..14b5fa45 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem {{ matrix_bot_matrix_reminder_bot_docker_image }} \ -c "matrix-reminder-bot /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 0b018f25..b2298312 100644 --- a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ {% endfor %} {{ matrix_bot_mjolnir_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-mjolnir diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 84dee801..8f61bd9f 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 8650bd8d..2c26c782 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 21ba27ef..9bf73711 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-sla {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index f27111b3..a227387a 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-web {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 index 4498b4f0..84e4a9c2 100644 --- a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 +++ b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-beeper-linkedi {{ matrix_beeper_linkedin_docker_image }} \ python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-beeper-linkedin diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index e27b88f1..6a0750bf 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -41,8 +41,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --listen-port 9898 \ {{ matrix_heisenbridge_homeserver_url }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-heisenbridge Restart=always RestartSec=30 SyslogIdentifier=matrix-heisenbridge diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index f3af4b9f..07ee8fb7 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 index c56473be..5a6ab799 100644 --- a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-google {{ matrix_mautrix_googlechat_docker_image }} \ python3 -m mautrix_googlechat -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 60f0e055..66f34d94 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 index 33a5bab3..0157accc 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-instag {{ matrix_mautrix_instagram_docker_image }} \ python3 -m mautrix_instagram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-instagram diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 6f128da3..314bba6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -30,8 +30,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e3e02424..244e2a48 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -37,8 +37,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ matrix_mautrix_signal_docker_image }} \ python3 -m mautrix_signal -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index ae1ac675..69ab167a 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 index 73bdbc86..55509b85 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitte {{ matrix_mautrix_twitter_docker_image }} \ python3 -m mautrix_twitter -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 4a492492..77daa825 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsa {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 6ffb87cd..58b01e20 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-disc {% endfor %} {{ matrix_mx_puppet_discord_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 index dabafd18..7e008aeb 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-grou {% endfor %} {{ matrix_mx_puppet_groupme_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-groupme diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 965bb41c..b2921a4f 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-inst {% endfor %} {{ matrix_mx_puppet_instagram_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index 9a7986e4..4c604bb7 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skyp {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 973771b3..f130c095 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slac {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 0772872b..c736b7ca 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-stea {% endfor %} {{ matrix_mx_puppet_steam_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 7e1b1c32..efa3e4e3 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twit {% endfor %} {{ matrix_mx_puppet_twitter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 46c3463f..404b5aab 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -35,8 +35,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endfor %} {{ matrix_sms_bridge_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-sms-bridge -ExecStop=-/usr/bin/docker rm matrix-sms-bridge +ExecStopPost=-/usr/bin/docker kill matrix-sms-bridge +ExecStopPost=-/usr/bin/docker rm matrix-sms-bridge Restart=always RestartSec=30 SyslogIdentifier=matrix-sms-bridge diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index fe2a3a86..d4ad2b9e 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element {% endfor %} {{ matrix_client_element_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index c85aeb97..7a72e876 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endfor %} {{ matrix_client_hydrogen_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 262e2e77..9c42f2b1 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index a39030af..778f8185 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index e27a5558..0451231b 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index dfdd2f72..31e106f0 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -26,8 +26,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ {% endfor %} {{ matrix_dynamic_dns_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dynamic-dns diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index c9226768..b620a13f 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index b579036b..e55c57c7 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -32,10 +32,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ node --experimental-worker src/node/server.js \ --settings /data/settings.json --credentials /data/credentials.json \ --sessionkey /data/sessionkey.json --apikey /data/apijey.json - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad + +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-etherpad Restart=always RestartSec=30 SyslogIdentifier=matrix-etherpad diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index a4f81e35..64d40a5c 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ {% endfor %} {{ matrix_grafana_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-grafana diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 6ecafaa0..b4944c84 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -23,8 +23,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2785795d..5be32210 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 5a4a81e5..452ff954 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -28,8 +28,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 35bfca67..ff577670 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 8e5cc6dd..c3d5850f 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index bf5a2e42..ee316469 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -27,8 +27,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index c4000fa9..744b3924 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,8 +47,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 index 97c9ae7f..52e12edb 100644 --- a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backu --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ {{ matrix_postgres_backup_docker_image_to_use }} -ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres-backup diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index d62a689a..5ef3646d 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ matrix_postgres_docker_image_to_use }} \ postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 210a0d97..0139b916 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {{ matrix_prometheus_node_exporter_docker_image }} \ --path.rootfs=/host -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-node-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 index b25cb5de..4c9a4eda 100644 --- a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -30,10 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-pos -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ {% endif %} --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} + {{ matrix_prometheus_postgres_exporter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index ad75d664..2070ece3 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ {% endfor %} {{ matrix_prometheus_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 5f6699f8..9f9d2902 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {{ matrix_redis_docker_image_to_use }} \ redis-server /usr/local/etc/redis/redis.conf -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis +ExecStopPost=-/usr/bin/docker stop matrix-redis +ExecStopPost=-/usr/bin/docker rm matrix-redis Restart=always RestartSec=30 SyslogIdentifier=matrix-redis diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index e73e3e5f..8de331bf 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {{ matrix_registration_docker_image }} \ serve -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-registration diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 019ab40c..84c6f6ea 100644 --- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ {% endfor %} {{ matrix_sygnal_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 4823d89c..28fe08aa 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin {% endfor %} {{ matrix_synapse_admin_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index df4a4f23..f74cbad9 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -27,10 +27,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} +ExecStopPost=-{{ matrix_host_command_docker }} stop %n +ExecStopPost=-{{ matrix_host_command_docker }} kill %n +ExecStopPost=-{{ matrix_host_command_docker }} rm %n +ExecStopPost=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 43dc42d1..66a323f9 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' Restart=always diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 188db5ef..bfc8dd61 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -63,8 +63,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 5788a16a2e6f1e44b6bb9d6c8f75581f17884928 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 5 Jan 2022 18:33:21 +0200 Subject: [PATCH 108/202] added matrix-client-cinny --- README.md | 2 + docs/configuring-dns.md | 2 + docs/configuring-playbook-client-cinny.md | 21 ++++ docs/configuring-playbook.md | 1 + docs/self-building.md | 1 + group_vars/matrix_servers | 28 +++++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-client-cinny/defaults/main.yml | 54 +++++++++ roles/matrix-client-cinny/tasks/init.yml | 10 ++ roles/matrix-client-cinny/tasks/main.yml | 28 +++++ .../matrix-client-cinny/tasks/self_check.yml | 22 ++++ .../tasks/setup_install.yml | 71 ++++++++++++ .../tasks/setup_uninstall.yml | 35 ++++++ .../tasks/validate_config.yml | 8 ++ .../templates/config.json.j2 | 6 + .../templates/nginx.conf.j2 | 66 +++++++++++ .../systemd/matrix-client-cinny.service.j2 | 40 +++++++ roles/matrix-nginx-proxy/defaults/main.yml | 9 +- .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-client-cinny.conf.j2 | 104 ++++++++++++++++++ setup.yml | 1 + 21 files changed, 524 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-client-cinny.md create mode 100644 roles/matrix-client-cinny/defaults/main.yml create mode 100644 roles/matrix-client-cinny/tasks/init.yml create mode 100644 roles/matrix-client-cinny/tasks/main.yml create mode 100644 roles/matrix-client-cinny/tasks/self_check.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_install.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_uninstall.yml create mode 100644 roles/matrix-client-cinny/tasks/validate_config.yml create mode 100644 roles/matrix-client-cinny/templates/config.json.j2 create mode 100644 roles/matrix-client-cinny/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 diff --git a/README.md b/README.md index 59bd915e..80608c69 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index af2badca..4416c3bc 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -37,6 +37,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `goneb` | - | - | - | `matrix.` | | CNAME | `sygnal` | - | - | - | `matrix.` | | CNAME | `hydrogen` | - | - | - | `matrix.` | +| CNAME | `cinny` | - | - | - | `matrix.` | ## Subdomains setup @@ -57,6 +58,7 @@ The `sygnal.` subdomain may be necessary, because this playbook cou The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. +The `cinny.` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.` DNS record. ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-client-cinny.md b/docs/configuring-playbook-client-cinny.md new file mode 100644 index 00000000..73a8bbee --- /dev/null +++ b/docs/configuring-playbook-client-cinny.md @@ -0,0 +1,21 @@ +# Configuring Cinny (optional) + +This playbook can install the [cinny](https://github.com/ajbura/cinny) Matrix web client for you. +cinny is a web client focusing primarily on simple, elegant and secure interface. +cinny can be installed alongside or instead of Element. + +If you'd like cinny to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_cinny_enabled: true +``` + +You will also need to add a DNS record so that cinny can be accessed. +By default cinny will use https://cinny.DOMAIN so you will need to create an CNAME record +for `cinny`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_cinny: "app.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 0f35325d..6b5a9e5d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -69,6 +69,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) +- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) ### Authentication and user-related diff --git a/docs/self-building.md b/docs/self-building.md index 9bf435c0..4d5c2db2 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse-admin` - `matrix-client-element` - `matrix-client-hydrogen` +- `matrix-client-cinny` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8edcd6ba..fb1762c7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1332,6 +1332,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1417,6 +1418,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1760,6 +1763,31 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl +###################################################################### +# +# matrix-client-cinny +# +###################################################################### + +matrix_client_cinny_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" + +matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-cinny +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 4767bcf4..9b137bae 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" +# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default). +matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml new file mode 100644 index 00000000..e693e2b2 --- /dev/null +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -0,0 +1,54 @@ +matrix_client_cinny_enabled: true + +matrix_client_cinny_container_image_self_build: false +matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" + +matrix_client_cinny_version: v1.6.1 +matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" + +matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" +matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_cinny_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_cinny_container_extra_arguments: [] + +# List of systemd services that matrix-client-cinny.service depends on +matrix_client_cinny_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_cinny_self_check_validate_certificates: true + +# config.json +matrix_client_cinny_default_hs_url: "" + +# Default cinny configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for cinny should go to `matrix_client_cinny_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration_extension_json: '{}' + +matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json|from_json if matrix_client_cinny_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final cinny configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default|combine(matrix_client_cinny_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-cinny/tasks/init.yml b/roles/matrix-client-cinny/tasks/init.yml new file mode 100644 index 00000000..e6889e4d --- /dev/null +++ b/roles/matrix-client-cinny/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" + when: matrix_client_cinny_enabled|bool diff --git a/roles/matrix-client-cinny/tasks/main.yml b/roles/matrix-client-cinny/tasks/main.yml new file mode 100644 index 00000000..8a39c021 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_client_cinny_enabled|bool" + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny diff --git a/roles/matrix-client-cinny/tasks/self_check.yml b/roles/matrix-client-cinny/tasks/self_check.yml new file mode 100644 index 00000000..df1241a8 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + +- name: Check Cinny + uri: + url: "{{ matrix_client_cinny_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}" + register: matrix_client_cinny_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Cinny not working + fail: + msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" + +- name: Report working Cinny + debug: + msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/matrix-client-cinny/tasks/setup_install.yml b/roles/matrix-client-cinny/tasks/setup_install.yml new file mode 100644 index 00000000..5d92f1d3 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_install.yml @@ -0,0 +1,71 @@ +--- +- name: Ensure Cinny paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_cinny_data_path }}", when: true } + - { path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Cinny Docker image is pulled + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}" + when: "not matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny repository is present on self-build + git: + repo: "{{ matrix_client_cinny_container_image_self_build_repo }}" + dest: "{{ matrix_client_cinny_docker_src_files_path }}" + version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_cinny_git_pull_results + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny configuration installed + copy: + content: "{{ matrix_client_cinny_configuration|to_nice_json }}" + dest: "{{ matrix_client_cinny_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Cinny additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "item.src is not none" + +- name: Ensure Cinny Docker image is built + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: build + force_source: "{{ matrix_client_cinny_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_cinny_docker_src_files_path }}" + pull: yes + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure matrix-client-cinny.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + mode: 0644 + register: matrix_client_cinny_systemd_service_result + +- name: Ensure systemd reloaded after matrix-client-cinny.service installation + service: + daemon_reload: yes + when: "matrix_client_cinny_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/matrix-client-cinny/tasks/setup_uninstall.yml new file mode 100644 index 00000000..2a3bffb5 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- +- name: Check existence of matrix-client-cinny.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + register: matrix_client_cinny_service_stat + +- name: Ensure matrix-client-cinny is stopped + service: + name: matrix-client-cinny + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure matrix-client-cinny.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + state: absent + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-client-cinny.service removal + service: + daemon_reload: yes + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure Cinny paths doesn't exist + file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent + +- name: Ensure Cinny Docker image doesn't exist + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + state: absent diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml new file mode 100644 index 00000000..198782e9 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- +- name: Fail if required Cinny settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Cinny. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + with_items: + - "matrix_client_cinny_default_hs_url" diff --git a/roles/matrix-client-cinny/templates/config.json.j2 b/roles/matrix-client-cinny/templates/config.json.j2 new file mode 100644 index 00000000..9731a372 --- /dev/null +++ b/roles/matrix-client-cinny/templates/config.json.j2 @@ -0,0 +1,6 @@ +{ + "defaultHomeserver": 0, + "homeserverList": [ + {{ matrix_client_cinny_default_hs_url|string|to_json }} + ] +} diff --git a/roles/matrix-client-cinny/templates/nginx.conf.j2 b/roles/matrix-client-cinny/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-cinny/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 new file mode 100644 index 00000000..aa5a0432 --- /dev/null +++ b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Cinny Client +{% for service in matrix_client_cinny_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-cinny \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_cinny_container_http_host_bind_port %} + -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_cinny_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_cinny_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-cinny + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 27b0b42d..74f53e67 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +# Controls whether proxying the Cinny domain should be done. +matrix_nginx_proxy_proxy_cinny_enabled: false +matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -273,9 +277,12 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). +matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index d325d2f0..5ddbb19d 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -88,6 +88,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_cinny_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -227,6 +234,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 new file mode 100644 index 00000000..df66349f --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-cinny:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/setup.yml b/setup.yml index edd21205..99d4ab18 100755 --- a/setup.yml +++ b/setup.yml @@ -47,6 +47,7 @@ - matrix-registration - matrix-client-element - matrix-client-hydrogen + - matrix-client-cinny - matrix-jitsi - matrix-ma1sd - matrix-dimension From 490f11ba0df89f384d905318083bab0e078ea789 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 09:11:28 +0200 Subject: [PATCH 109/202] matrix-client-cinny: self_build feedback" --- group_vars/matrix_servers | 2 ++ roles/matrix-client-cinny/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb1762c7..d5dfb391 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1771,6 +1771,8 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl matrix_client_cinny_enabled: false +matrix_client_cinny_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml index 198782e9..d8e804c5 100644 --- a/roles/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -3,6 +3,6 @@ fail: msg: > You need to define a required configuration setting (`{{ item }}`) to use Cinny. - when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + when: "vars[item] == '' or vars[item] is none" with_items: - "matrix_client_cinny_default_hs_url" From 1098e64d19f1791a07faa2de93b7abc34ca2a95b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 10:53:07 +0200 Subject: [PATCH 110/202] Announce Cinny support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d7331e9..8443d36a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2022-01-06 + +## Cinny support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [Cinny](https://cinny.in/) - a new simple, elegant and secure Matrix client. + +By default, we still install Element. Still, people who'd like to try Cinny out can now install it via the playbook. + +Additional details are available in [Setting up Cinny](docs/configuring-playbook-client-cinny.md). + + # 2021-12-22 ## Twitter bridging support via mautrix-twitter From 7dfb68b7f82fb09edbcdcad2a98875be2c3dda42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 11:04:35 +0200 Subject: [PATCH 111/202] Add else statements to inline ifs Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- roles/matrix-client-cinny/defaults/main.yml | 2 +- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml index e693e2b2..21ce09d4 100644 --- a/roles/matrix-client-cinny/defaults/main.yml +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/ matrix_client_cinny_version: v1.6.1 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" -matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 3cfb2337..4ca2224b 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vect matrix_client_hydrogen_version: v0.2.19 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" From 407e8c4940ecec98f9826df0c135443431459a5f Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 20:30:10 +0200 Subject: [PATCH 112/202] added honoroit --- README.md | 2 + docs/configuring-playbook-bot-honoroit.md | 55 +++++++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + docs/self-building.md | 1 + group_vars/matrix_servers | 37 ++++++++ roles/matrix-bot-honoroit/defaults/main.yml | 95 +++++++++++++++++++ roles/matrix-bot-honoroit/tasks/init.yml | 3 + roles/matrix-bot-honoroit/tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 86 +++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++++ .../tasks/validate_config.yml | 10 ++ .../systemd/matrix-bot-honoroit.service.j2 | 51 ++++++++++ setup.yml | 1 + 14 files changed, 402 insertions(+) create mode 100644 docs/configuring-playbook-bot-honoroit.md create mode 100644 roles/matrix-bot-honoroit/defaults/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/init.yml create mode 100644 roles/matrix-bot-honoroit/tasks/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_install.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-honoroit/tasks/validate_config.yml create mode 100644 roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 diff --git a/README.md b/README.md index 80608c69..63875c5e 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation + - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md new file mode 100644 index 00000000..45fc033d --- /dev/null +++ b/docs/configuring-playbook-bot-honoroit.md @@ -0,0 +1,55 @@ +# Setting up Honoroit (optional) + +The playbook can install and configure [Honoroit](https://gitlab.com/etke.cc/honoroit) for you. + +It's a bot you can use to setup **your own helpdesk on matrix** + +See the project's [documentation](https://gitlab.com/etke.cc/honoroit#how-it-looks-like) to learn what it does with screenshots and why it might be useful to you. + + +## Registering the bot user + +By default, the playbook will set up the bot with a username like this: `@honoroit:DOMAIN`. + +(to use a different username, adjust the `matrix_bot_honoroit_login` variable). + +You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=honoroit password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_bot_honoroit_enabled: true + +# Adjust this to whatever password you chose when registering the bot user +matrix_bot_honoroit_password: PASSWORD_FOR_THE_BOT + +# Adjust this to your room ID +matrix_bot_honoroit_roomid: "!yourRoomID:DOMAIN" +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite the `@honoroit:DOMAIN` to the room you specified in config, after that any matrix user can send a message to the `@honoroit:DOMAIN` to start a new thread in that room. + +Send `!ho help` to the room to see the bot's help menu for additional commands. + +You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/honoroit#features). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6b5a9e5d..31168d23 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -142,6 +142,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) +- [Setting up honoroit](configuring-playbook-bot-honoroit.md) - a helpdesk bot (optional) + - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional) - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) diff --git a/docs/container-images.md b/docs/container-images.md index d52f3fdd..9be48736 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -92,6 +92,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [etke.cc/honoroit](https://gitlab.com/etke.cc/honoroit/container_registry) - the [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot (optional) + - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) diff --git a/docs/self-building.md b/docs/self-building.md index 4d5c2db2..ef851f22 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -34,6 +34,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` +- `matrix-bot-honoroit` - `matrix-bot-matrix-reminder-bot` - `matrix-email2matrix` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5dfb391..393984c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -946,6 +946,37 @@ matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != # ###################################################################### +###################################################################### +# +# matrix-bot-honoroit +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_honoroit_enabled: false + +matrix_bot_honoroit_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" + +###################################################################### +# +# /matrix-bot-honoroit +# +###################################################################### + ###################################################################### # @@ -1489,6 +1520,12 @@ matrix_postgres_additional_databases: | 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_bot_honoroit_database_name, + 'username': matrix_bot_honoroit_database_username, + 'password': matrix_bot_honoroit_database_password, + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml new file mode 100644 index 00000000..ac612f84 --- /dev/null +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -0,0 +1,95 @@ +# honoroit is a helpdesk bot +# See: https://gitlab.com/etke.cc/honoroit + +matrix_bot_honoroit_enabled: true + +matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" +matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" + +matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" + +matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" +matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" +matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" +matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" + +# A list of extra arguments to pass to the container +matrix_bot_honoroit_container_extra_arguments: [] + +# List of systemd services that matrix-bot-honoroit.service depends on +matrix_bot_honoroit_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-honoroit.service wants +matrix_bot_honoroit_systemd_wanted_services_list: [] + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_bot_honoroit_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_bot_honoroit_database_*` variables +matrix_bot_honoroit_database_engine: 'sqlite' + +matrix_bot_honoroit_sqlite_database_path_local: "{{ matrix_bot_honoroit_data_path }}/bot.db" +matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_honoroit_database_username: 'honoroit' +matrix_bot_honoroit_database_password: 'some-password' +matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_port: 5432 +matrix_bot_honoroit_database_name: 'honoroit' + +matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable' + +matrix_bot_honoroit_storage_database: "{{ + { + 'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container, + 'postgres': matrix_bot_honoroit_database_connection_string, + }[matrix_bot_honoroit_database_engine] +}}" + +matrix_bot_honoroit_database_dialect: "{{ + { + 'sqlite': 'sqlite3', + 'postgres': 'postgres', + }[matrix_bot_honoroit_database_engine] +}}" + + +# The bot's username. This user needs to be created manually beforehand. +# Also see `matrix_bot_honoroit_password`. +matrix_bot_honoroit_login: "honoroit" + +# The password that the bot uses to authenticate. +matrix_bot_honoroit_password: '' + +matrix_bot_honoroit_homeserver: "{{ matrix_homeserver_container_url }}" + +# The room ID where bot will create threads +matrix_bot_honoroit_roomid: '' + +# Command prefix +matrix_bot_honoroit_prefix: '' + +# Sentry DSN +matrix_bot_honoroit_sentry: '' + +# Log level +matrix_bot_honoroit_loglevel: '' + +# Text: greetings +matrix_bot_honoroit_text_greetings: '' + +# Text: error +matrix_bot_honoroit_text_error: '' + +# Text: empty room +matrix_bot_honoroit_text_emptyroom: '' + +# Text: done +matrix_bot_honoroit_text_done: '' diff --git a/roles/matrix-bot-honoroit/tasks/init.yml b/roles/matrix-bot-honoroit/tasks/init.yml new file mode 100644 index 00000000..1b652e56 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" + when: matrix_bot_honoroit_enabled|bool diff --git a/roles/matrix-bot-honoroit/tasks/main.yml b/roles/matrix-bot-honoroit/tasks/main.yml new file mode 100644 index 00000000..bc5c1490 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml new file mode 100644 index 00000000..33723175 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -0,0 +1,86 @@ +--- +- set_fact: + matrix_bot_honoroit_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + register: matrix_bot_honoroit_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + dst: "{{ matrix_bot_honoroit_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_bot_honoroit_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-bot-honoroit.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_bot_honoroit_requires_restart: true + when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_bot_honoroit_database_engine == 'postgres'" + +- name: Ensure honoroit paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_honoroit_config_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_store_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} + when: "item.when|bool" + +- name: Ensure honoroit image is pulled + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" + when: "not matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit repository is present on self-build + git: + repo: "{{ matrix_bot_honoroit_docker_repo }}" + dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" + force: "yes" + register: matrix_bot_honoroit_git_pull_results + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit image is built + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: build + force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_bot_honoroit_docker_src_files_path }}" + pull: yes + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure matrix-bot-honoroit.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + mode: 0644 + register: matrix_bot_honoroit_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation + service: + daemon_reload: yes + when: "matrix_bot_honoroit_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-honoroit.service restarted, if necessary + service: + name: "matrix-bot-honoroit.service" + state: restarted + when: "matrix_bot_honoroit_requires_restart|bool" diff --git a/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml new file mode 100644 index 00000000..afad2cc1 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-honoroit service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + register: matrix_bot_honoroit_service_stat + +- name: Ensure matrix-honoroit is stopped + service: + name: matrix-bot-honoroit + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-honoroit.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + state: absent + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal + service: + daemon_reload: yes + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure Matrix honoroit paths don't exist + file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent + +- name: Ensure honoroit Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + state: absent diff --git a/roles/matrix-bot-honoroit/tasks/validate_config.yml b/roles/matrix-bot-honoroit/tasks/validate_config.yml new file mode 100644 index 00000000..562bf9fb --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_bot_honoroit_password" + - "matrix_bot_honoroit_roomid" diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 new file mode 100644 index 00000000..38c2c7ff --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix helpdesk bot +{% for service in matrix_bot_honoroit_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_honoroit_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ + -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ + -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ + -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ + -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ + -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ + -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ + -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ + -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ + -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ + -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ + -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ + -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ + {% for arg in matrix_bot_honoroit_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_honoroit_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-honoroit + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 99d4ab18..54e6c408 100755 --- a/setup.yml +++ b/setup.yml @@ -37,6 +37,7 @@ - matrix-bridge-sms - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot + - matrix-bot-honoroit - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse From d7af37e9e9076ec85d883ffb6abfcb73df219155 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:41:52 +0200 Subject: [PATCH 113/202] matrix-bot-honoroit feedback --- roles/matrix-bot-honoroit/defaults/main.yml | 10 +++++++++- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 ++++++ roles/matrix-bot-honoroit/templates/env.j2 | 15 +++++++++++++++ .../systemd/matrix-bot-honoroit.service.j2 | 14 +------------- 4 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-bot-honoroit/templates/env.j2 diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ac612f84..ea83dde6 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -8,7 +8,8 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 -matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" @@ -93,3 +94,10 @@ matrix_bot_honoroit_text_emptyroom: '' # Text: done matrix_bot_honoroit_text_done: '' + +# Additional environment variables to pass to the Honoroit container +# +# Example: +# matrix_bot_honoroit_environment_variables_extension: | +# HONOROIT_TEXT_DONE=Done +matrix_bot_honoroit_environment_variables_extension: '' diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 33723175..615235cb 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -39,6 +39,12 @@ - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when|bool" +- name: Ensure honoroit environment variables file created + template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/env" + mode: 0640 + - name: Ensure honoroit image is pulled docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/matrix-bot-honoroit/templates/env.j2 b/roles/matrix-bot-honoroit/templates/env.j2 new file mode 100644 index 00000000..4b1dd43f --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/env.j2 @@ -0,0 +1,15 @@ +HONOROIT_LOGIN={{ matrix_bot_honoroit_login }} +HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }} +HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }} +HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }} +HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }} +HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} +HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} +HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} +HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} +HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} +HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} +HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} +HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }} + +{{ matrix_bot_honoroit_environment_variables_extension }} diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 38c2c7ff..c4eb1a94 100644 --- a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -22,19 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ - -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ - -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ - -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ - -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ - -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ - -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ - -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ - -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ - -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ - -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ - -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ - -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --env-file={{ matrix_bot_honoroit_config_path }}/env \ --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ {% for arg in matrix_bot_honoroit_container_extra_arguments %} {{ arg }} \ From 6beb39a0627db90c15c51632a7da909b0ae9c37f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 09:53:16 +0200 Subject: [PATCH 114/202] Announce Honoroit support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1511 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8443d36a..7f6dcc35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2022-01-07 + +## Honoroit bot support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. + +See our [Setting up Honoroit](docs/configuring-playbook-bot-honoroit.md) documentation to get started. + + # 2022-01-06 ## Cinny support From d66c812830771782817f8f411a9833e627ff88be Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:06:25 +0000 Subject: [PATCH 115/202] matrix-bot-honoroit: fix self-build --- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ea83dde6..fc1713ba 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" From b0c801a4970584badeef6c6eeea7eb03beb10d08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 11:53:24 +0200 Subject: [PATCH 116/202] Rename variable for consistency (matrix_bot_honoroit_container_self_build -> matrix_bot_honoroit_container_image_self_build) Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1514 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 4 ++-- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 393984c0..99d70c99 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -969,7 +969,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index fc1713ba..4e3628f9 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -3,13 +3,13 @@ matrix_bot_honoroit_enabled: true -matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 615235cb..76eeb006 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -51,7 +51,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" - when: "not matrix_bot_honoroit_container_self_build|bool" + when: "not matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit repository is present on self-build git: @@ -59,7 +59,7 @@ dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" force: "yes" register: matrix_bot_honoroit_git_pull_results - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit image is built docker_image: @@ -71,7 +71,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure matrix-bot-honoroit.service installed template: From d9dd524db3f7a3b1710a763292e7fefbb47ca7de Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 12:18:45 +0200 Subject: [PATCH 117/202] self-build consistency: rename vars everywhere --- group_vars/matrix_servers | 18 +++++++++--------- .../defaults/main.yml | 2 +- .../tasks/setup_install.yml | 6 +++--- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 4 ++-- .../tasks/setup_install.yml | 12 ++++++------ .../defaults/main.yml | 6 +++--- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 14 +++++++------- roles/matrix-synapse-admin/defaults/main.yml | 6 +++--- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/setup.yml | 8 ++++---- .../tasks/validate_config.yml | 1 + 18 files changed, 53 insertions(+), 52 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 99d70c99..49f63ddf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -143,7 +143,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false -matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -185,7 +185,7 @@ matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_maca # We don't enable bridges by default. matrix_appservice_irc_enabled: false -matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -459,8 +459,8 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" -matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -478,9 +478,9 @@ matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'a matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ @@ -938,7 +938,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" -matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -1948,7 +1948,7 @@ matrix_synapse_admin_enabled: false # Synapse Admin's HTTP port to the local host. matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" -matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 3e955673..419e3cca 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_container_image_self_build: false matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index dada8167..bd33326f 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -46,7 +46,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "not matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot repository is present on self-build git: @@ -54,7 +54,7 @@ dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" force: "yes" register: matrix_bot_matrix_reminder_bot_git_pull_results - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot image is built docker_image: @@ -66,7 +66,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" pull: yes - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 57604b19..25b0a241 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_container_image_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index e1355796..b90d93a5 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 75af882a..20714a41 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_irc_base_path }}", when: true } - { path: "{{ matrix_appservice_irc_config_path }}", when: true } - { path: "{{ matrix_appservice_irc_data_path }}", when: true } - - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_image_self_build }}" } when: item.when|bool - name: Check if an old passkey file already exists @@ -61,7 +61,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc repository is present when self-building git: @@ -69,7 +69,7 @@ dest: "{{ matrix_appservice_irc_docker_src_files_path }}" force: "yes" register: matrix_appservice_irc_git_pull_results - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc Docker image is built docker_image: @@ -81,7 +81,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" pull: yes - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 4f4d5e2f..0a578b41 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index f6aada6d..7f251ec5 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b170fcb8..8c5a1eed 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_slack_base_path }}", when: true } - { path: "{{ matrix_appservice_slack_config_path }}", when: true } - { path: "{{ matrix_appservice_slack_data_path }}", when: true } - - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_image_self_build }}" } when: item.when|bool - set_fact: @@ -37,7 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" - when: "not matrix_appservice_slack_container_self_build|bool" + when: "not matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -45,7 +45,7 @@ dest: "{{ matrix_appservice_slack_docker_src_files_path }}" force: "yes" register: matrix_appservice_slack_git_pull_results - when: "matrix_appservice_slack_container_self_build|bool" + when: "matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack Docker image is built docker_image: @@ -57,7 +57,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" pull: yes - when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + when: "matrix_appservice_slack_container_image_self_build|bool and matrix_appservice_slack_git_pull_results.changed" - name: Ensure Matrix Appservice Slack config installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 6e0a9918..9eebedd7 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_signal_enabled: true -matrix_mautrix_signal_container_self_build: false +matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" @@ -13,7 +13,7 @@ matrix_mautrix_signal_daemon_version: latest matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_container_image_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 88710868..bc6331ac 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "not matrix_mautrix_signal_container_self_build|bool" + when: "not matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal repository is present on self-build @@ -23,7 +23,7 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: @@ -35,7 +35,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is pulled @@ -44,7 +44,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_image_self_build|bool register: matrix_mautrix_signal_daemon_pull_results - name: Ensure Mautrix Signal Daemon repository is present on self-build @@ -53,7 +53,7 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: @@ -65,7 +65,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal paths exist file: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 1995a7b7..7e7ee0a6 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,13 +3,13 @@ matrix_mautrix_telegram_enabled: true -matrix_telegram_lottieconverter_container_self_build: false -matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_container_image_self_build: false +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram -matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index bf903a57..662ea1c3 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1e87f1ae..1e34e2cd 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_image_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled @@ -54,7 +54,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter is present when self-building git: @@ -62,7 +62,7 @@ dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" force: "yes" register: matrix_telegram_lottieconverter_git_pull_results - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" pull: yes - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -82,7 +82,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: @@ -93,10 +93,10 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + pull: "{{ not matrix_telegram_lottieconverter_container_image_self_build_mask_arch|bool }}" args: TARGETARCH: "" - when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" + when: "matrix_mautrix_telegram_container_image_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 6d20d20f..db1024fa 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -3,14 +3,14 @@ matrix_synapse_admin_enabled: true -matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +matrix_synapse_admin_container_image_self_build: false +matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index fccc9dfa..3ce5a693 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index d54583af..9eac7f90 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -10,16 +10,16 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin repository is present when self-building git: - repo: "{{ matrix_synapse_admin_container_self_build_repo }}" + repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" force: "yes" register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin Docker image is built docker_image: @@ -31,7 +31,7 @@ dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin.service installed template: diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index e08680e0..d0640d7f 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,3 +8,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From c191bf54cace667e5eda26a2fb1419dd5bc8eb88 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:17:39 +0200 Subject: [PATCH 118/202] self-build consistency: add deprecation warnings --- .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 1 + .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 2 ++ .../tasks/validate_config.yml | 2 ++ roles/matrix-synapse-admin/tasks/validate_config.yml | 1 + 6 files changed, 24 insertions(+) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 983e7166..8963a312 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_bot_matrix_reminder_bot_matrix_user_password" - "matrix_bot_matrix_reminder_bot_reminders_timezone" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_matrix_reminder_bot_container_self_build', 'new': 'matrix_bot_matrix_reminder_bot_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index bd08427c..303f2640 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,3 +33,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} + - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index e02c6ab0..1866c312 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -11,3 +11,12 @@ - "matrix_appservice_slack_homeserver_url" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_slack_container_self_build', 'new': 'matrix_appservice_slack_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 100af3f8..108ac044 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -26,3 +26,5 @@ - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': ''} + - {'old': 'matrix_mautrix_signal_container_self_build', 'new': 'matrix_mautrix_signal_container_image_self_build'} + - {'old': 'matrix_mautrix_signal_daemon_container_self_build', 'new': 'matrix_mautrix_signal_daemon_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 5b1f3b00..db10a4cc 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -20,3 +20,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} + - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index d0640d7f..20a5c170 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,4 +8,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From 2836667df28c695755854b407955700cfc2aa568 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:21:41 +0200 Subject: [PATCH 119/202] self-build consistency: missing var --- roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index db10a4cc..2067b97b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -22,3 +22,4 @@ - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build_mask_arch', 'new': 'matrix_telegram_lottieconverter_container_image_self_build_mask_arch'} From 07af05690c0f52d09481614c2ac742bd79a82280 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Sun, 24 Jan 2021 17:41:11 +1100 Subject: [PATCH 120/202] Add initial role for Dendrite as alternative Matrix server --- group_vars/matrix_servers | 98 + roles/matrix-dendrite/defaults/main.yml | 158 + .../matrix-dendrite/tasks/dendrite/setup.yml | 6 + .../tasks/dendrite/setup_install.yml | 85 + .../tasks/dendrite/setup_uninstall.yml | 28 + roles/matrix-dendrite/tasks/goofys/setup.yml | 7 + .../tasks/goofys/setup_install.yml | 41 + .../tasks/goofys/setup_uninstall.yml | 33 + .../tasks/import_media_store.yml | 81 + roles/matrix-dendrite/tasks/init.yml | 12 + roles/matrix-dendrite/tasks/main.yml | 50 + roles/matrix-dendrite/tasks/register_user.yml | 25 + .../tasks/self_check_client_api.yml | 20 + .../tasks/self_check_federation_api.yml | 25 + .../matrix-dendrite/tasks/setup_dendrite.yml | 19 + .../tasks/update_user_password.yml | 41 + .../matrix-dendrite/tasks/validate_config.yml | 16 + .../templates/dendrite/dendrite.yaml.j2 | 342 +++ .../templates/dendrite/homeserver.yaml.j2 | 2682 +++++++++++++++++ .../systemd/matrix-dendrite.service.j2 | 58 + .../matrix-dendrite-create-account.j2 | 12 + .../templates/goofys/env-goofys.j2 | 3 + .../goofys/systemd/matrix-goofys.service.j2 | 39 + roles/matrix-dendrite/vars/main.yml | 11 + setup.yml | 1 + 25 files changed, 3893 insertions(+) create mode 100644 roles/matrix-dendrite/defaults/main.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml create mode 100644 roles/matrix-dendrite/tasks/init.yml create mode 100644 roles/matrix-dendrite/tasks/main.yml create mode 100644 roles/matrix-dendrite/tasks/register_user.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_client_api.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_federation_api.yml create mode 100644 roles/matrix-dendrite/tasks/setup_dendrite.yml create mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml create mode 100644 roles/matrix-dendrite/tasks/validate_config.yml create mode 100644 roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 create mode 100644 roles/matrix-dendrite/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 49f63ddf..18351f32 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1508,6 +1508,48 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_database_password, }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ + 'name': matrix_dendrite_naffka_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_appservice_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_federationsender_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_keyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mediaapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_room_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_singingkeyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_syncapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_account_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_device_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -2125,3 +2167,59 @@ matrix_postgres_backup_databases: | # /matrix-postgres-backup # ###################################################################### + +###################################################################### +# +# matrix-dendrite +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, +# you can expose Dendrite's ports to the host. +# +# For exposing the Matrix Client API's port (plain HTTP) to the local host. +matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# +# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. +matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" + +# Even if TURN doesn't support TLS (it does by default), +# it doesn't hurt to try a secure connection anyway. +matrix_dendrite_turn_uris: | + {{ + [ + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" + +matrix_dendrite_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_dendrite_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + }} + +###################################################################### +# +# /matrix-dendrite +# +###################################################################### diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml new file mode 100644 index 00000000..78bc9bb8 --- /dev/null +++ b/roles/matrix-dendrite/defaults/main.yml @@ -0,0 +1,158 @@ +# Dendrite is a second-generation Matrix homeserver currently in Beta +# See: https://github.com/matrix-org/dendrite + +matrix_dendrite_enabled: false + +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "docker.io/" +matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" + +matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" +matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" +matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" +matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" +matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" + +# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_dendrite_container_client_api_host_bind_port: "" + +# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# +# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) +# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). +# +# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. +matrix_dendrite_container_federation_api_tls_host_bind_port: "" + +# A list of extra arguments to pass to the container +matrix_dendrite_container_extra_arguments: [] + +# List of systemd services that matrix-dendrite.service depends on +matrix_dendrite_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-dendrite.service wants +matrix_dendrite_systemd_wanted_services_list: [] + +# Specifies which template files to use when configuring Dendrite. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" +matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" + +matrix_dendrite_macaroon_secret_key: "" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +matrix_dendrite_allow_guest_access: false +matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" + +matrix_dendrite_max_file_size_bytes: 10485760 + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_dendrite_tmp_directory_size_mb: 500 + +# Log levels +matrix_dendrite_log_level: "warning" +matrix_dendrite_log_path: "/var/log/dendrite" + +# Rate limits +matrix_dendrite_rate_limiting_enabled: true +matrix_dendrite_rate_limiting_threshold: 5 +matrix_dendrite_rate_limiting_cooloff_ms: 500 + +# Controls whether people with access to the homeserver can register by themselves. +matrix_dendrite_registration_disabled: false + +# reCAPTCHA API for validating registration attempts +matrix_dendrite_enable_registration_captcha: false +matrix_dendrite_recaptcha_public_key: "" +matrix_dendrite_recaptcha_private_key: "" + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# +# Note: internally, this uses the `-v` flag for mounting the specified volumes. +# It's better (safer) to use the `--mount` flag for mounting volumes. +# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`. +# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] +matrix_dendrite_container_additional_volumes: [] + +# A list of appservice config files (in-container filesystem paths). +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`. +matrix_dendrite_app_service_config_files: [] + +# Enable exposure of metrics +matrix_dendrite_metrics_enabled: false +matrix_dendrite_metrics_username: "metrics" +matrix_dendrite_metrics_password: "metrics" + +# Postgres database information +matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" +matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_user: "dendrite" +matrix_dendrite_database_password: "itsasecret" +matrix_dendrite_naffka_database: "dendrite_naffka" +matrix_dendrite_appservice_database: "dendrite_appservice" +matrix_dendrite_federationsender_database: "dendrite_federationsender" +matrix_dendrite_keyserver_database: "dendrite_keyserver" +matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_room_database: "dendrite_room" +matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" +matrix_dendrite_syncapi_database: "dendrite_syncapi" +matrix_dendrite_account_database: "dendrite_account" +matrix_dendrite_device_database: "dendrite_device" + +matrix_dendrite_turn_uris: [] +matrix_dendrite_turn_shared_secret: "" +matrix_dendrite_turn_allow_guests: False + +matrix_s3_media_store_enabled: false +matrix_s3_media_store_custom_endpoint_enabled: false +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" +matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" + +# Controls whether the self-check feature should validate TLS certificates. +matrix_dendrite_disable_tls_validation: false + +matrix_dendrite_trusted_id_servers: + - "matrix.org" + - "vector.im" + +# Default Dendrite configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}" + +matrix_dendrite_configuration_extension_yaml: | + # Your custom YAML configuration for Dendrite goes here. + # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_dendrite_configuration_yaml`. + # + # Example configuration extension follows: + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + +matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final Dendrite configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. +matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup.yml b/roles/matrix-dendrite/tasks/dendrite/setup.yml new file mode 100644 index 00000000..8b669193 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" + when: matrix_dendrite_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" + when: "not matrix_dendrite_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml new file mode 100644 index 00000000..182b6c1c --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -0,0 +1,85 @@ +--- +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Dendrite media store path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Dendrite media store path exists + file: + path: "{{ matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Dendrite log path exists + file: + path: "{{ matrix_dendrite_log_path }}" + state: directory + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite Docker image is pulled + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + +- name: Check if a Dendrite signing key exists + stat: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + register: matrix_dendrite_signing_key_stat + +# We do this so that the signing key would get generated. +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate Dendrite signing key + command: | + docker run + --rm + --name=matrix-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + when: "not matrix_dendrite_signing_key_stat.stat.exists" + +- name: Ensure Dendrite server key exists + file: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite configuration installed + copy: + content: "{{ matrix_dendrite_configuration|to_nice_yaml }}" + dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dendrite.service installed + template: + src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-dendrite.service" + mode: 0644 + register: matrix_dendrite_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dendrite.service installation + service: + daemon_reload: yes + when: "matrix_dendrite_systemd_service_result.changed" + +- name: Ensure matrix-dendrite-create-account script created + template: + src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" + dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" + mode: 0750 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml new file mode 100644 index 00000000..7e953365 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml @@ -0,0 +1,28 @@ +- name: Check existence of matrix-dendrite service + stat: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure matrix-dendrite.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + state: absent + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dendrite.service removal + service: + daemon_reload: yes + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure Dendrite Docker image doesn't exist + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml new file mode 100644 index 00000000..6370408d --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + when: matrix_s3_media_store_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml new file mode 100644 index 00000000..4917440b --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_install.yml @@ -0,0 +1,41 @@ +- name: Ensure Goofys Docker image is pulled + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" + +# This will throw a Permission Denied error if already mounted +- name: Check Matrix Goofys external storage mountpoint path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_matrix_dendrite_media_store_path_stat + ignore_errors: yes + +- name: Ensure Matrix Goofys external storage mountpoint exists + file: + path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" + +- name: Ensure goofys environment variables file created + template: + src: "{{ role_path }}/templates/goofys/env-goofys.j2" + dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + owner: root + mode: 0600 + +- name: Ensure matrix-goofys.service installed + template: + src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-goofys.service" + mode: 0644 + register: matrix_goofys_systemd_service_result + +- name: Ensure systemd reloaded after matrix-goofys.service installation + service: + daemon_reload: yes + when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml new file mode 100644 index 00000000..b7f972ad --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml @@ -0,0 +1,33 @@ +- name: Check existence of matrix-goofys service + stat: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + register: matrix_goofys_service_stat + +- name: Ensure matrix-goofys is stopped + service: + name: matrix-goofys + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure matrix-goofys.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + state: absent + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-goofys.service removal + service: + daemon_reload: yes + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure goofys environment variables file doesn't exist + file: + path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + state: absent + +- name: Ensure Goofys Docker image doesn't exist + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml new file mode 100644 index 00000000..9eaa6c0c --- /dev/null +++ b/roles/matrix-dendrite/tasks/import_media_store.yml @@ -0,0 +1,81 @@ +--- +# Pre-checks + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" + +- name: Fail if media store is on Amazon S3 + fail: + msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + when: matrix_s3_media_store_enabled|bool + +- name: Check if the provided media store directory exists + stat: + path: "{{ server_path_media_store }}" + register: server_path_media_store_stat + +- name: Fail if provided media store directory doesn't exist on the server + fail: + msg: "{{ server_path_media_store }} cannot be found on the server" + when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" + +- name: Check if media store contains local_content + stat: + path: "{{ server_path_media_store }}/local_content" + register: server_path_media_store_local_content_stat + +- name: Check if media store contains remote_content + stat: + path: "{{ server_path_media_store }}/remote_content" + register: server_path_media_store_remote_content_stat + +- name: Fail if media store directory doesn't look okay (lacking remote and local content) + fail: + msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" + +# Actual import work + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + +# This can only work with local files, not if the media store is on Amazon S3, +# as it won't be accessible in such a case. +- name: Ensure provided media store directory is synchronized + synchronize: + src: "{{ server_path_media_store }}/" + dest: "{{ matrix_dendrite_media_store_path }}" + delete: yes + # It's wasteful to preserve owner/group now. We chown below anyway. + owner: no + group: no + times: yes + delegate_to: "{{ inventory_hostname }}" + +# This is for the generic case and fails in other cases (remote file systems), +# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. +- name: Ensure media store permissions are correct (generic case) + file: + path: "{{ matrix_dendrite_media_store_path }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: yes + when: "not matrix_s3_media_store_enabled|bool" + +# We don't chown for Goofys, because due to the way it's mounted, +# all files become owned by whoever needs to own them. + +- name: Ensure Dendrite is started (if it previously was) + service: + name: "{{ item }}" + state: started + daemon_reload: yes + when: "stopping_result.changed" + with_items: + - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml new file mode 100644 index 00000000..8457c63d --- /dev/null +++ b/roles/matrix-dendrite/tasks/init.yml @@ -0,0 +1,12 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" + when: matrix_dendrite_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" + when: matrix_s3_media_store_enabled|bool + +- name: Fail when using also using Synapse + fail: + msg: "To use Dendrite as your matrix server, you should disable Synapse." + when: "matrix_dendrite_enabled and matrix_synapse_enabled" diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml new file mode 100644 index 00000000..a5237442 --- /dev/null +++ b/roles/matrix-dendrite/tasks/main.yml @@ -0,0 +1,50 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" + when: run_dendrite_import_media_store|bool + tags: + - import-dendrite-media-store + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_dendrite_register_user|bool + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_dendrite_update_user_password|bool + tags: + - update-user-password + +- name: Mark matrix-dendrite role as executed + set_fact: + matrix_dendrite_role_executed: true + tags: + - always diff --git a/roles/matrix-dendrite/tasks/register_user.yml b/roles/matrix-dendrite/tasks/register_user.yml new file mode 100644 index 00000000..099d57e9 --- /dev/null +++ b/roles/matrix-dendrite/tasks/register_user.yml @@ -0,0 +1,25 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Wait a while, so that Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed" + +- name: Register user + command: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username|quote }} {{ password|quote }}" diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml new file mode 100644 index 00000000..d3fb1f0d --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -0,0 +1,20 @@ +--- +- name: Check Matrix Client API + uri: + url: "{{ matrix_dendrite_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_client_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" + when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" + when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml new file mode 100644 index 00000000..f11601d7 --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -0,0 +1,25 @@ +--- +- name: Check Matrix Federation API + uri: + url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_federation_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml new file mode 100644 index 00000000..920ca184 --- /dev/null +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -0,0 +1,19 @@ +--- +- name: Ensure Dendrite paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } + - { path: "{{ matrix_dendrite_ext_path }}", when: true } + # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml new file mode 100644 index 00000000..5fbd23c2 --- /dev/null +++ b/roles/matrix-dendrite/tasks/update_user_password.yml @@ -0,0 +1,41 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled|bool" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + +- name: Wait a while, so that Matrix Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed or postgres_start_result.changed" + +- name: Generate password hash + shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + register: password_hash + +- name: Update user password hash + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml new file mode 100644 index 00000000..8c7ee4d2 --- /dev/null +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -0,0 +1,16 @@ +--- +- name: Fail if required Dendrite settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Dendrite. + when: "vars[item] == ''" + with_items: + - "matrix_dendrite_macaroon_secret_key" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: [] diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 new file mode 100644 index 00000000..2ec6c088 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -0,0 +1,342 @@ +# This is the Dendrite configuration file. +# +# The configuration is split up into sections - each Dendrite component has a +# configuration section, in addition to the "global" section which applies to +# all components. +# +# At a minimum, to get started, you will need to update the settings in the +# "global" section for your deployment, and you will need to check that the +# database "connection_string" line in each component section is correct. +# +# Each component with a "database" section can accept the following formats +# for "connection_string": +# SQLite: file:filename.db +# file:///path/to/filename.db +# PostgreSQL: postgresql://user:pass@hostname/database?params=... +# +# SQLite is embedded into Dendrite and therefore no further prerequisites are +# needed for the database when using SQLite mode. However, performance with +# PostgreSQL is significantly better and recommended for multi-user deployments. +# SQLite is typically around 20-30% slower than PostgreSQL when tested with a +# small number of users and likely will perform worse still with a higher volume +# of users. +# +# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# number of open/idle database connections. The value 0 will use the database +# engine default, and a negative value will use unlimited connections. The +# "conn_max_lifetime" option controls the maximum length of time a database +# connection can be idle in seconds - a negative value is unlimited. + +# The version of the configuration file. +version: 1 + +# Global Matrix configuration. This configuration applies to all components. +global: + # The domain name of this homeserver. + server_name: {{ matrix_domain }} + + # The path to the signing private key file, used to sign requests and events. + private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" + + # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) + # to old signing private keys that were formerly in use on this domain. These + # keys will not be used for federation request or event signing, but will be + # provided to any other homeserver that asks when trying to verify old events. + # old_private_keys: + # - private_key: old_matrix_key.pem + # expired_at: 1601024554498 + + # How long a remote server can cache our server signing key before requesting it + # again. Increasing this number will reduce the number of requests made by other + # servers for our key but increases the period that a compromised key will be + # considered valid by other homeservers. + key_validity_period: 168h0m0s + + # Lists of domains that the server will trust as identity servers to verify third + # party identifiers such as phone numbers and email addresses. + trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + + # Configuration for Kafka/Naffka. + kafka: + # List of Kafka broker addresses to connect to. This is not needed if using + # Naffka in monolith mode. + addresses: + - kafka:9092 + + # The prefix to use for Kafka topic names for this homeserver. Change this only if + # you are running more than one Dendrite homeserver on the same Kafka deployment. + topic_prefix: Dendrite + + # Whether to use Naffka instead of Kafka. This is only available in monolith + # mode, but means that you can run a single-process server without requiring + # Kafka. + use_naffka: true + + # Naffka database options. Not required when using Kafka. + naffka_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Configuration for Prometheus metric collection. + metrics: + # Whether or not Prometheus metrics are enabled. + enabled: {{ matrix_dendrite_metrics_enabled }} + + # HTTP basic authentication to protect access to monitoring. + basic_auth: + username: {{ matrix_dendrite_metrics_username }} + password: {{ matrix_dendrite_metrics_password }} + + # DNS cache options. The DNS cache may reduce the load on DNS servers + # if there is no local caching resolver available for use. + dns_cache: + # Whether or not the DNS cache is enabled. + enabled: false + + # Maximum number of entries to hold in the DNS cache, and + # for how long those items should be considered valid in seconds. + cache_size: 256 + cache_lifetime: 300 + +# Configuration for the Appservice API. +app_service_api: + internal_api: + listen: http://0.0.0.0:7777 + connect: http://appservice_api:7777 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Appservice configuration files to load into this homeserver. + config_files: {{ matrix_dendrite_app_service_config_files|to_json }} + +# Configuration for the Client API. +client_api: + internal_api: + listen: http://0.0.0.0:7771 + connect: http://client_api:7771 + external_api: + listen: http://0.0.0.0:8071 + + # Prevents new users from being able to register on this homeserver, except when + # using the registration shared secret below. + registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + + # If set, allows registration by anyone who knows the shared secret, regardless of + # whether registration is otherwise disabled. + registration_shared_secret: {{ matrix_dendrite_registration_shared_secret|string|to_json }} + + # Whether to require reCAPTCHA for registration. + enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + + # Settings for ReCAPTCHA. + recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} + recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_bypass_secret: "" + recaptcha_siteverify_api: "" + + # TURN server information that this homeserver should send to clients. + turn: + turn_user_lifetime: "" + turn_uris: {{ matrix_dendrite_turn_uris|to_json }} + turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_username: "" + turn_password: "" + + # Settings for rate-limited endpoints. Rate limiting will kick in after the + # threshold number of "slots" have been taken by requests from a specific + # host. Each "slot" will be released after the cooloff time in milliseconds. + rate_limiting: + enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} + threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} + cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + +# Configuration for the EDU server. +edu_server: + internal_api: + listen: http://0.0.0.0:7778 + connect: http://edu_server:7778 + +# Configuration for the Federation API. +federation_api: + internal_api: + listen: http://0.0.0.0:7772 + connect: http://federation_api:7772 + external_api: + listen: http://0.0.0.0:8072 + + # List of paths to X.509 certificates to be used by the external federation listeners. + # These certificates will be used to calculate the TLS fingerprints and other servers + # will expect the certificate to match these fingerprints. Certificates must be in PEM + # format. + federation_certificates: [] + +# Configuration for the Federation Sender. +federation_sender: + internal_api: + listen: http://0.0.0.0:7775 + connect: http://federation_sender:7775 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationsender_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # How many times we will try to resend a failed transaction to a specific server. The + # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. + send_max_retries: 16 + + # Disable the validation of TLS certificates of remote federated homeservers. Do not + # enable this option in production as it presents a security risk! + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + + # Use the following proxy server for outbound federation traffic. + proxy_outbound: + enabled: false + protocol: http + host: localhost + port: 8080 + +# Configuration for the Key Server (for end-to-end encryption). +key_server: + internal_api: + listen: http://0.0.0.0:7779 + connect: http://key_server:7779 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Media API. +media_api: + internal_api: + listen: http://0.0.0.0:7774 + connect: http://media_api:7774 + external_api: + listen: http://0.0.0.0:8074 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Storage path for uploaded media. May be relative or absolute. + base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" + + # The maximum allowed file size (in bytes) for media uploads to this homeserver + # (0 = unlimited). + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + + # Whether to dynamically generate thumbnails if needed. + dynamic_thumbnails: false + + # The maximum number of simultaneous thumbnail generators to run. + max_thumbnail_generators: 10 + + # A list of thumbnail sizes to be generated for media content. + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale + +# Configuration for the Room Server. +room_server: + internal_api: + listen: http://0.0.0.0:7770 + connect: http://room_server:7770 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Server Key API (for server signing keys). +signing_key_server: + internal_api: + listen: http://0.0.0.0:7780 + connect: http://signing_key_server:7780 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_singingkeyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Perspective keyservers to use as a backup when direct key fetches fail. This may + # be required to satisfy key requests for servers that are no longer online when + # joining some rooms. + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ + + # This option will control whether Dendrite will prefer to look up keys directly + # or whether it should try perspective servers first, using direct fetches as a + # last resort. + prefer_direct_fetch: false + +# Configuration for the Sync API. +sync_api: + internal_api: + listen: http://0.0.0.0:7773 + connect: http://sync_api:7773 + external_api: + listen: http://0.0.0.0:8073 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the User API. +user_api: + internal_api: + listen: http://0.0.0.0:7781 + connect: http://user_api:7781 + account_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_account_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + device_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_device_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for Opentracing. +# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on +# how this works and how to set it up. +tracing: + enabled: false + jaeger: + serviceName: "" + disabled: false + rpc_metrics: false + tags: [] + sampler: null + reporter: null + headers: null + baggage_restrictions: null + throttler: null + +# Logging configuration, in addition to the standard logging that is sent to +# stdout by Dendrite. +logging: +- type: file + level: {{ matrix_dendrite_log_level }} + params: + path: /var/log/dendrite diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 new file mode 100644 index 00000000..fe28779c --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 @@ -0,0 +1,2682 @@ +#jinja2: lstrip_blocks: "True" +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Server ## + +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 +# +server_name: "{{ matrix_domain }}" + +# When running as a daemon, the file to store the pid in +# +pid_file: /homeserver.pid + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# +public_baseurl: https://{{ matrix_server_fqn_matrix }}/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +# +use_presence: {{ matrix_synapse_use_presence|to_json }} + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +# +#require_auth_for_profile_requests: true + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +default_room_version: {{ matrix_synapse_default_room_version|to_json }} + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: True + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP compression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: +{% if matrix_synapse_metrics_enabled %} + - type: metrics + port: {{ matrix_synapse_metrics_port }} + bind_addresses: + - '0.0.0.0' +{% endif %} + +{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + - port: 8448 + tls: true + bind_addresses: ['::'] + type: http + x_forwarded: false + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + + # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} + compress: false + +{% if matrix_synapse_federation_port_enabled %} + # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8048 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + +{% if matrix_synapse_manhole_enabled %} + # Turn on the twisted ssh manhole service on localhost on the given + # port. + - port: 9000 + bind_addresses: ['0.0.0.0'] + type: manhole +{% endif %} + + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +#admin_contact: 'mailto:admin@server.com' + +# Global blocking +# +#hs_disabled: False +#hs_disabled_message: 'Human readable reason for why the HS is blocked' +#hs_disabled_limit_type: 'error code(str), to help clients decode reason' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# enabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +#limit_usage_by_mau: False +#max_mau_value: 50 +#mau_trial_days: 2 + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: False + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +#redaction_retention_period: 28d + +redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + +user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} + +# PEM-encoded private key for TLS +# +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # (and tls_certificate_path and tls_private_key_path above) to enable it. + # + #enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + #port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + #bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + #reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + #domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + #account_key_file: /data/acme_account.key + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +#tls_fingerprints: [{"sha256": ""}] + + +## Federation ## + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} + +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + +## Database ## + +database: + # The database engine name + name: "psycopg2" + args: + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} + database: "{{ matrix_synapse_database_database }}" + host: "{{ matrix_synapse_database_host }}" + cp_min: 5 + cp_max: 10 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +rc_message: {{ matrix_synapse_rc_message|to_json }} +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 3 +# remote: +# per_second: 0.01 +# burst_count: 3 + + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 +rc_federation: {{ matrix_synapse_rc_federation|to_json }} + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +#enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + + +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +turn_uris: {{ matrix_synapse_turn_uris|to_json }} + +# The shared secret used to compute passwords for the TURN server +# +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: {{ matrix_synapse_enable_registration|to_json }} + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% endif %} + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# +#auto_join_rooms: +# - "#example:example.com" +{% if matrix_synapse_auto_join_rooms|length > 0 %} +auto_join_rooms: +{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} +{% endif %} + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} + + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +{% if matrix_synapse_sentry_dsn != "" %} +sentry: + dsn: {{ matrix_synapse_sentry_dsn|to_json }} +{% endif %} + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: {{ matrix_synapse_report_stats|to_json }} + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" + + +# A list of application service config files to use +# +app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: True + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: {{ matrix_synapse_form_secret|string|to_json }} + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} + + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/data/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + + +# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for some example configurations. +# +oidc_config: + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true + + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false + + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post + + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + + # Whether to fetch the user profile from the userinfo endpoint. Valid + # values are: "auto" or "userinfo_endpoint". + # + # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included + # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. + # + #user_profile_method: "userinfo_endpoint" + + # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead + # of failing. This could be used if switching from password logins to OIDC. Defaults to false. + # + #allow_existing_users: true + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider + + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. + # + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID. + # + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token + # + # If this is not set, the user will be prompted to choose their + # own username. + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + + # Jinja2 templates for extra attributes to send back to the client during + # login. + # + # Note that these are non-standard and clients will ignore them without modifications. + # + #extra_attributes: + #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" + + + +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 + + +{% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." + + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" +{% endif %} + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} +{% endif %} +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% if matrix_synapse_ext_password_provider_ldap_enabled %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + attributes: + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} +{% endif %} +{% endif %} + + +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + include_content: {{ matrix_synapse_push_include_content|to_json }} + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false + + +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] +spam_checker: {{ matrix_synapse_spam_checker|to_json }} + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + +# Uncomment to allow non-server-admin users to create groups on this server +# +enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial_" + + + +# User Directory configuration +# +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to +# rebuild the user_directory search indexes, see +# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md +# +#user_directory: +# enabled: true +# search_all_users: false + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy +# + + + +# Local statistics collection. Used in populating the room directory. +# +# 'bucket_size' controls how large each statistics timeslice is. It can +# be defined in a human readable short form -- e.g. "1d", "1y". +# +# 'retention' controls how long historical statistics will be kept for. +# It can be defined in a human readable short form -- e.g. "1d", "1y". +# +# +#stats: +# enabled: true +# bucket_size: 1d +# retention: 1y + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By default, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/1.13/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + + # Logging whether spans were started and reported + # + # logging: + # false + + +## Workers ## + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +#send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +#federation_sender_instances: +# - federation_sender1 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + #enabled: true + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + #host: localhost + #port: 6379 + + # Optional password if configured on the Redis instance + # + #password: + +# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 new file mode 100644 index 00000000..66a7c1f8 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -0,0 +1,58 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Dendrite server +{% for service in matrix_dendrite_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dendrite_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if matrix_s3_media_store_enabled %} +# Allow for some time before starting, so that media store can mount. +# Mounting can happen later too, but if we start writing, +# we'd write files to the local filesystem and fusermount will complain. +ExecStartPre={{ matrix_host_command_sleep }} 3 +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_dendrite_container_client_api_host_bind_port %} + -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} + -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% endif %} + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ + {% for volume in matrix_dendrite_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_dendrite_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dendrite_docker_image }} \ + --config /data/dendrite.yaml + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dendrite + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 new file mode 100644 index 00000000..ebacb681 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 + +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 new file mode 100644 index 00000000..2955efdd --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 @@ -0,0 +1,3 @@ +#jinja2: lstrip_blocks: "True" +AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 new file mode 100644 index 00000000..44ec3d4a --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Goofys media store +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n + +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + --mount type=bind,src=/etc/group,dst=/etc/group,ro \ + --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ + --entrypoint /bin/sh \ + {{ matrix_s3_goofys_docker_image }} \ + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + +TimeoutStartSec=5min +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} +Restart=always +RestartSec=5 +SyslogIdentifier=matrix-goofys + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/vars/main.yml b/roles/matrix-dendrite/vars/main.yml new file mode 100644 index 00000000..60d5f4eb --- /dev/null +++ b/roles/matrix-dendrite/vars/main.yml @@ -0,0 +1,11 @@ +--- +matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_dendrite_role_executed: false + +matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path|dirname }}" +matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path|basename }}" + +matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key|basename }}" diff --git a/setup.yml b/setup.yml index 54e6c408..aa1ea68b 100755 --- a/setup.yml +++ b/setup.yml @@ -41,6 +41,7 @@ - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse + - matrix-dendrite - matrix-synapse-admin - matrix-prometheus-node-exporter - matrix-prometheus From fc62537fcfd119c1bee509dc54775f5a3e8e1feb Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:25:50 -0600 Subject: [PATCH 121/202] Remove Synapse and Goofys stuff --- roles/matrix-dendrite/defaults/main.yml | 10 - roles/matrix-dendrite/tasks/goofys/setup.yml | 7 - .../tasks/goofys/setup_install.yml | 41 - .../tasks/goofys/setup_uninstall.yml | 33 - .../tasks/import_media_store.yml | 81 - roles/matrix-dendrite/tasks/main.yml | 5 - .../matrix-dendrite/tasks/setup_dendrite.yml | 2 - .../templates/dendrite/homeserver.yaml.j2 | 2682 ----------------- .../templates/goofys/env-goofys.j2 | 3 - .../goofys/systemd/matrix-goofys.service.j2 | 39 - 10 files changed, 2903 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml delete mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml delete mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 78bc9bb8..d231553e 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -110,16 +110,6 @@ matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" matrix_dendrite_turn_allow_guests: False -matrix_s3_media_store_enabled: false -matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" -matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" -matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" -matrix_s3_media_store_region: "eu-central-1" - # Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml deleted file mode 100644 index 6370408d..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml deleted file mode 100644 index 4917440b..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_install.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Ensure Goofys Docker image is pulled - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" - -# This will throw a Permission Denied error if already mounted -- name: Check Matrix Goofys external storage mountpoint path - stat: - path: "{{ matrix_dendrite_media_store_path }}" - register: local_path_matrix_dendrite_media_store_path_stat - ignore_errors: yes - -- name: Ensure Matrix Goofys external storage mountpoint exists - file: - path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" - -- name: Ensure goofys environment variables file created - template: - src: "{{ role_path }}/templates/goofys/env-goofys.j2" - dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - owner: root - mode: 0600 - -- name: Ensure matrix-goofys.service installed - template: - src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-goofys.service" - mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - service: - daemon_reload: yes - when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml deleted file mode 100644 index b7f972ad..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Check existence of matrix-goofys service - stat: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - register: matrix_goofys_service_stat - -- name: Ensure matrix-goofys is stopped - service: - name: matrix-goofys - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure matrix-goofys.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - service: - daemon_reload: yes - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - file: - path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - state: absent - -- name: Ensure Goofys Docker image doesn't exist - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml deleted file mode 100644 index 9eaa6c0c..00000000 --- a/roles/matrix-dendrite/tasks/import_media_store.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -# Pre-checks - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" - -- name: Fail if media store is on Amazon S3 - fail: - msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." - when: matrix_s3_media_store_enabled|bool - -- name: Check if the provided media store directory exists - stat: - path: "{{ server_path_media_store }}" - register: server_path_media_store_stat - -- name: Fail if provided media store directory doesn't exist on the server - fail: - msg: "{{ server_path_media_store }} cannot be found on the server" - when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - -- name: Check if media store contains local_content - stat: - path: "{{ server_path_media_store }}/local_content" - register: server_path_media_store_local_content_stat - -- name: Check if media store contains remote_content - stat: - path: "{{ server_path_media_store }}/remote_content" - register: server_path_media_store_remote_content_stat - -- name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: - msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." - when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" - -# Actual import work - -- name: Ensure matrix-dendrite is stopped - service: - name: matrix-dendrite - state: stopped - daemon_reload: yes - register: stopping_result - -# This can only work with local files, not if the media store is on Amazon S3, -# as it won't be accessible in such a case. -- name: Ensure provided media store directory is synchronized - synchronize: - src: "{{ server_path_media_store }}/" - dest: "{{ matrix_dendrite_media_store_path }}" - delete: yes - # It's wasteful to preserve owner/group now. We chown below anyway. - owner: no - group: no - times: yes - delegate_to: "{{ inventory_hostname }}" - -# This is for the generic case and fails in other cases (remote file systems), -# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. -- name: Ensure media store permissions are correct (generic case) - file: - path: "{{ matrix_dendrite_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: yes - when: "not matrix_s3_media_store_enabled|bool" - -# We don't chown for Goofys, because due to the way it's mounted, -# all files become owned by whoever needs to own them. - -- name: Ensure Dendrite is started (if it previously was) - service: - name: "{{ item }}" - state: started - daemon_reload: yes - when: "stopping_result.changed" - with_items: - - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index a5237442..6c25f190 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -14,11 +14,6 @@ - setup-all - setup-dendrite -- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_dendrite_import_media_store|bool - tags: - - import-dendrite-media-store - - import_tasks: "{{ role_path }}/tasks/register_user.yml" when: run_dendrite_register_user|bool tags: diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 920ca184..9fa8f566 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -15,5 +15,3 @@ when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 deleted file mode 100644 index fe28779c..00000000 --- a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 +++ /dev/null @@ -1,2682 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# Configuration file for Synapse. -# -# This is a YAML file: see [1] for a quick introduction. Note in particular -# that *indentation is important*: all the elements of a list or dictionary -# should have the same indentation. -# -# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - -## Server ## - -# The public-facing domain of the server -# -# The server_name name will appear at the end of usernames and room addresses -# created on this server. For example if the server_name was example.com, -# usernames on this server would be in the format @user:example.com -# -# In most cases you should avoid using a matrix specific subdomain such as -# matrix.example.com or synapse.example.com as the server_name for the same -# reasons you wouldn't use user@email.example.com as your email address. -# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md -# for information on how to host Synapse on a subdomain while preserving -# a clean server_name. -# -# The server_name cannot be changed later so it is important to -# configure this correctly before you start Synapse. It should be all -# lowercase and may contain an explicit port. -# Examples: matrix.org, localhost:8080 -# -server_name: "{{ matrix_domain }}" - -# When running as a daemon, the file to store the pid in -# -pid_file: /homeserver.pid - -# The absolute URL to the web client which /_matrix/client will redirect -# to if 'webclient' is configured under the 'listeners' configuration. -# -# This option can be also set to the filesystem path to the web client -# which will be served at /_matrix/client/ if 'webclient' is configured -# under the 'listeners' configuration, however this is a security risk: -# https://github.com/matrix-org/synapse#security-note -# -#web_client_location: https://riot.example.com/ - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# -public_baseurl: https://{{ matrix_server_fqn_matrix }}/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -# -use_presence: {{ matrix_synapse_use_presence|to_json }} - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -# -#require_auth_for_profile_requests: true - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -#limit_profile_requests_to_users_who_share_rooms: true - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -default_room_version: {{ matrix_synapse_default_room_version|to_json }} - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is 100. -1 means no upper limit. -# -# Uncomment the following to increase the limit to 5000. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: True - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Prevent outgoing requests from being sent to the following blacklisted IP address -# CIDR ranges. If this option is not specified then it defaults to private IP -# address ranges (see the example below). -# -# The blacklist applies to the outbound requests for federation, identity servers, -# push servers, and for checking key validity for third-party invite events. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. -# -#ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '192.0.0.0/24' -# - '169.254.0.0/16' -# - '198.18.0.0/15' -# - '192.0.2.0/24' -# - '198.51.100.0/24' -# - '203.0.113.0/24' -# - '224.0.0.0/4' -# - '::1/128' -# - 'fe80::/10' -# - 'fc00::/7' - -# List of IP address CIDR ranges that should be allowed for federation, -# identity servers, push servers, and for checking key validity for -# third-party invite events. This is useful for specifying exceptions to -# wide-ranging blacklisted target IP ranges - e.g. for communication with -# a push server only visible in your network. -# -# This whitelist overrides ip_range_blacklist and defaults to an empty -# list. -# -#ip_range_whitelist: -# - '192.168.1.1' - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP compression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: -{% if matrix_synapse_metrics_enabled %} - - type: metrics - port: {{ matrix_synapse_metrics_port }} - bind_addresses: - - '0.0.0.0' -{% endif %} - -{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: 8448 - tls: true - bind_addresses: ['::'] - type: http - x_forwarded: false - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - - # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8008 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_http_listener_resource_names|to_json }} - compress: false - -{% if matrix_synapse_federation_port_enabled %} - # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8048 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - -{% if matrix_synapse_manhole_enabled %} - # Turn on the twisted ssh manhole service on localhost on the given - # port. - - port: 9000 - bind_addresses: ['0.0.0.0'] - type: manhole -{% endif %} - - -# Forward extremities can build up in a room due to networking delays between -# homeservers. Once this happens in a large room, calculation of the state of -# that room can become quite expensive. To mitigate this, once the number of -# forward extremities reaches a given threshold, Synapse will send an -# org.matrix.dummy_event event, which will reduce the forward extremities -# in the room. -# -# This setting defines the threshold (i.e. number of forward extremities in the -# room) at which dummy events are sent. The default value is 10. -# -#dummy_events_threshold: 5 - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -#admin_contact: 'mailto:admin@server.com' - -# Global blocking -# -#hs_disabled: False -#hs_disabled_message: 'Human readable reason for why the HS is blocked' -#hs_disabled_limit_type: 'error code(str), to help clients decode reason' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# enabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -#limit_usage_by_mau: False -#max_mau_value: 50 -#mau_trial_days: 2 - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: False - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# -limit_remote_rooms: - # Uncomment to enable room complexity checking. - # - #enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # - #complexity: 0.5 - - # override the error which is returned when the room is too complex. - # - #complexity_error: "This room is too complex." - - # allow server admins to join complex rooms. Default is false. - # - #admins_can_join: true - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, and the state of a room contains a - # 'm.room.retention' event in its state which contains a 'min_lifetime' or a - # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy - # to these limits when running purge jobs. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - # If any purge job is configured, it is strongly recommended to have at least - # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' - # set, or one job without 'shortest_max_lifetime' and one job without - # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if - # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a - # room's policy to these values is done after the policies are retrieved from - # Synapse's database (which is done using the range specified in a purge job's - # configuration). - # - #purge_jobs: - # - longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # interval: 1d - -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - -# A list of domains that the domain portion of 'next_link' parameters -# must match. -# -# This parameter is optionally provided by clients while requesting -# validation of an email or phone number, and maps to a link that -# users will be automatically redirected to after validation -# succeeds. Clients can make use this parameter to aid the validation -# process. -# -# The whitelist is applied whether the homeserver or an -# identity server is handling validation. -# -# The default value is no whitelist functionality; all domains are -# allowed. Setting this value to an empty list will instead disallow -# all domains. -# -#next_link_domain_whitelist: ["matrix.org"] - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). -# -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} - -# PEM-encoded private key for TLS -# -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # (and tls_certificate_path and tls_private_key_path above) to enable it. - # - #enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - #port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - #bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - #reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - #domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - #account_key_file: /data/acme_account.key - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - - -## Federation ## - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com -{% if matrix_synapse_federation_domain_whitelist is not none %} -{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} -federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} -{% endif %} - -# Report prometheus metrics on the age of PDUs being sent to and received from -# the following domains. This can be used to give an idea of "delay" on inbound -# and outbound federation, though be aware that any delay can be due to problems -# at either end or with the intermediate network. -# -# By default, no domains are monitored in this way. -# -#federation_metrics_domains: -# - matrix.org -# - example.com - - -## Caching ## - -# Caching can be configured through the following options. -# -# A cache 'factor' is a multiplier that can be applied to each of -# Synapse's caches in order to increase or decrease the maximum -# number of entries that can be stored. - -# The number of events to cache in memory. Not affected by -# caches.global_factor. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - -caches: - # Controls the global cache factor, which is the default cache factor - # for all caches if a specific factor for that cache is not otherwise - # set. - # - # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment - # variable. Setting by environment variable takes priority over - # setting through the config file. - # - # Defaults to 0.5, which will half the size of all caches. - # - global_factor: {{ matrix_synapse_caches_global_factor }} - - # A dictionary of cache name to cache factor for that individual - # cache. Overrides the global cache factor for a given cache. - # - # These can also be set through environment variables comprised - # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital - # letters and underscores. Setting by environment variable - # takes priority over setting through the config file. - # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 - # - # Some caches have '*' and other characters that are not - # alphanumeric or underscores. These caches can be named with or - # without the special characters stripped. For example, to specify - # the cache factor for `*stateGroupCache*` via an environment - # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. - # - per_cache_factors: - #get_users_who_share_room_with_user: 2.0 - - -## Database ## - -database: - # The database engine name - name: "psycopg2" - args: - user: {{ matrix_synapse_database_user|string|to_json }} - password: {{ matrix_synapse_database_password|string|to_json }} - database: "{{ matrix_synapse_database_database }}" - host: "{{ matrix_synapse_database_host }}" - cp_min: 5 - cp_max: 10 - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# - two for ratelimiting number of rooms a user can join, "local" for when -# users are joining rooms the server is already in (this is cheap) vs -# "remote" for when users are trying to join rooms not on the server (which -# can be more expensive) -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -rc_message: {{ matrix_synapse_rc_message|to_json }} -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -rc_registration: {{ matrix_synapse_rc_registration|to_json }} -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -rc_login: {{ matrix_synapse_rc_login|to_json }} -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 -# -#rc_joins: -# local: -# per_second: 0.1 -# burst_count: 3 -# remote: -# per_second: 0.01 -# burst_count: 3 - - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 -rc_federation: {{ matrix_synapse_rc_federation|to_json }} - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 -federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} - - - -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to store newly uploaded local files -# store_local: false -# # Whether to store newly downloaded remote files -# store_remote: false -# # Whether to wait for successful storage for local uploads -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale - -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -#url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -max_spider_size: 10M - -# A list of values for the Accept-Language HTTP header used when -# downloading webpages during URL preview generation. This allows -# Synapse to specify the preferred languages that URL previews should -# be in when communicating with remote servers. -# -# Each value is a IETF language tag; a 2-3 letter identifier for a -# language, optionally followed by subtags separated by '-', specifying -# a country or region variant. -# -# Multiple values can be provided, and a weight can be added to each by -# using quality value syntax (;q=). '*' translates to any language. -# -# Defaults to "en". -# -# Example: -# -# url_preview_accept_language: -# - en-UK -# - en-US;q=0.9 -# - fr;q=0.8 -# - *;q=0.7 -# -url_preview_accept_language: -# - en - - -## Captcha ## -# See docs/CAPTCHA_SETUP.md for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} - -# This homeserver's ReCAPTCHA private key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} - -# Uncomment to enable ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. Defaults to 'false'. -# -enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} - -# The API endpoint to use for verifying m.login.recaptcha responses. -# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". -# -#recaptcha_siteverify_api: "https://my.recaptcha.site" - - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -turn_uris: {{ matrix_synapse_turn_uris|to_json }} - -# The shared secret used to compute passwords for the TURN server -# -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: {{ matrix_synapse_enable_registration|to_json }} - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn -{% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} -{% endif %} - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} -{% endif %} - -# Enable 3PIDs lookup requests to identity servers from this server. -# -#enable_3pid_lookup: true - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless, and users will not be able to associate an msisdn -# identifier to their account. This is due to Synapse currently not supporting -# any method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} - msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} - -# Whether users are allowed to change their displayname after it has -# been initially set. Useful when provisioning users based on the -# contents of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_displayname: false - -# Whether users are allowed to change their avatar after it has been -# initially set. Useful when provisioning users based on the contents -# of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_avatar_url: false - -# Whether users can change the 3PIDs associated with their accounts -# (email address and msisdn). -# -# Defaults to 'true' -# -#enable_3pid_changes: false - -# Users who register on this homeserver will automatically be joined -# to these rooms. -# -# By default, any room aliases included in this list will be created -# as a publicly joinable room when the first user registers for the -# homeserver. This behaviour can be customised with the settings below. -# -#auto_join_rooms: -# - "#example:example.com" -{% if matrix_synapse_auto_join_rooms|length > 0 %} -auto_join_rooms: -{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} -{% endif %} - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# -# By default the auto-created rooms are publicly joinable from any federated -# server. Use the autocreate_auto_join_rooms_federated and -# autocreate_auto_join_room_preset settings below to customise this behaviour. -# -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -# Defaults to true. Uncomment the following line to disable automatically -# creating auto-join rooms. -# -autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} - -# Whether the auto_join_rooms that are auto-created are available via -# federation. Only has an effect if autocreate_auto_join_rooms is true. -# -# Note that whether a room is federated cannot be modified after -# creation. -# -# Defaults to true: the room will be joinable from other servers. -# Uncomment the following to prevent users from other homeservers from -# joining these rooms. -# -#autocreate_auto_join_rooms_federated: false - -# The room preset to use when auto-creating one of auto_join_rooms. Only has an -# effect if autocreate_auto_join_rooms is true. -# -# This can be one of "public_chat", "private_chat", or "trusted_private_chat". -# If a value of "private_chat" or "trusted_private_chat" is used then -# auto_join_mxid_localpart must also be configured. -# -# Defaults to "public_chat", meaning that the room is joinable by anyone, including -# federated servers if autocreate_auto_join_rooms_federated is true (the default). -# Uncomment the following to require an invitation to join these rooms. -# -#autocreate_auto_join_room_preset: private_chat - -# The local part of the user id which is used to create auto_join_rooms if -# autocreate_auto_join_rooms is true. If this is not provided then the -# initial user account that registers will be used to create the rooms. -# -# The user id is also used to invite new users to any auto-join rooms which -# are set to invite-only. -# -# It *must* be configured if autocreate_auto_join_room_preset is set to -# "private_chat" or "trusted_private_chat". -# -# Note that this must be specified in order for new users to be correctly -# invited to any auto-join rooms which have been set to invite-only (either -# at the time of creation or subsequently). -# -# Note that, if the room already exists, this user must be joined and -# have the appropriate permissions to invite new members. -# -#auto_join_mxid_localpart: system - -# When auto_join_rooms is specified, setting this flag to false prevents -# guest accounts from being automatically joined to the rooms. -# -# Defaults to true. -# -#auto_join_rooms_for_guests: false - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -{% if matrix_synapse_sentry_dsn != "" %} -sentry: - dsn: {{ matrix_synapse_sentry_dsn|to_json }} -{% endif %} - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a gauge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -# -report_stats: {{ matrix_synapse_report_stats|to_json }} - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -# -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" - - -# A list of application service config files to use -# -app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: True - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: {{ matrix_synapse_form_secret|string|to_json }} - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} - - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -## Single sign-on integration ## - -# The following settings can be used to make Synapse use a single sign-on -# provider for authentication, instead of its internal password database. -# -# You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# You will also want to investigate the settings under the "sso" configuration -# section below. - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - sp_config: - # Point this to the IdP's metadata. You must provide either a local - # file via the `local` attribute or (preferably) a URL via the - # `remote` attribute. - # - #metadata: - # local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - - # Allowed clock difference in seconds between the homeserver and IdP. - # - # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. - # - #accepted_time_diff: 3 - - # By default, the user has to go to our login page first. If you'd like - # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # 'service.sp' section: - # - #service: - # sp: - # allow_unsolicited: true - - # The examples below are just used to generate our metadata xml, and you - # may well not need them, depending on your setup. Alternatively you - # may need a whole lot more detail - see the pysaml2 docs! - - #description: ["My awesome SP", "en"] - #name: ["Test SP", "en"] - - #ui_info: - # display_name: - # - lang: en - # text: "Display Name is the descriptive name of your service." - # description: - # - lang: en - # text: "Description should be a short paragraph explaining the purpose of the service." - # information_url: - # - lang: en - # text: "https://example.com/terms-of-service" - # privacy_statement_url: - # - lang: en - # text: "https://example.com/privacy-policy" - # keywords: - # - lang: en - # text: ["Matrix", "Element"] - # logo: - # - lang: en - # text: "https://example.com/logo.svg" - # width: "200" - # height: "80" - - #organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - - #contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/data/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 15 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - # It is possible to configure Synapse to only allow logins if SAML attributes - # match particular values. The requirements can be listed under - # `attribute_requirements` as shown below. All of the listed attributes must - # match for the login to be permitted. - # - #attribute_requirements: - # - attribute: userGroup - # value: "staff" - # - attribute: department - # value: "sales" - - # If the metadata XML contains multiple IdP entities then the `idp_entityid` - # option must be set to the entity to redirect users to. - # - # Most deployments only have a single IdP entity and so should omit this - # option. - # - #idp_entityid: 'https://our_idp/entityid' - - -# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md -# for some example configurations. -# -oidc_config: - # Uncomment the following to enable authorization against an OpenID Connect - # server. Defaults to false. - # - #enabled: true - - # Uncomment the following to disable use of the OIDC discovery mechanism to - # discover endpoints. Defaults to true. - # - #discover: false - - # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to - # discover the provider's endpoints. - # - # Required if 'enabled' is true. - # - #issuer: "https://accounts.example.com/" - - # oauth2 client id to use. - # - # Required if 'enabled' is true. - # - #client_id: "provided-by-your-issuer" - - # oauth2 client secret to use. - # - # Required if 'enabled' is true. - # - #client_secret: "provided-by-your-issuer" - - # auth method to use when exchanging the token. - # Valid values are 'client_secret_basic' (default), 'client_secret_post' and - # 'none'. - # - #client_auth_method: client_secret_post - - # list of scopes to request. This should normally include the "openid" scope. - # Defaults to ["openid"]. - # - #scopes: ["openid", "profile"] - - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" - - # the OIDC userinfo endpoint. Required if discovery is disabled and the - # "openid" scope is not requested. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" - - # URI where to fetch the JWKS. Required if discovery is disabled and the - # "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - - # Uncomment to skip metadata verification. Defaults to false. - # - # Use this if you are connecting to a provider that is not OpenID Connect - # compliant. - # Avoid this in production. - # - #skip_verification: true - - # Whether to fetch the user profile from the userinfo endpoint. Valid - # values are: "auto" or "userinfo_endpoint". - # - # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included - # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. - # - #user_profile_method: "userinfo_endpoint" - - # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead - # of failing. This could be used if switching from password logins to OIDC. Defaults to false. - # - #allow_existing_users: true - - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. - # - # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers - # for information on implementing a custom mapping provider. - # - #module: mapping_provider.OidcMappingProvider - - # Custom configuration values for the module. This section will be passed as - # a Python dictionary to the user mapping provider module's `parse_config` - # method. - # - # The examples below are intended for the default provider: they should be - # changed if using a custom provider. - # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID. - # - # When rendering, this template is given the following variables: - # * user: The claims returned by the UserInfo Endpoint and/or in the ID - # Token - # - # If this is not set, the user will be prompted to choose their - # own username. - # - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - - # Jinja2 template for the display name to set on first login. - # - # If unset, no displayname will be set. - # - #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" - - # Jinja2 templates for extra attributes to send back to the client during - # login. - # - # Note that these are non-standard and clients will ignore them without modifications. - # - #extra_attributes: - #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" - - - -# Enable Central Authentication Service (CAS) for registration and login. -# -cas_config: - # Uncomment the following to enable authorization against a CAS server. - # Defaults to false. - # - #enabled: true - - # The URL of the CAS authorization endpoint. - # - #server_url: "https://cas-server.com" - - # The public URL of the homeserver. - # - #service_url: "https://homeserver.domain.com:8448" - - # The attribute of the CAS response to use as the display name. - # - # If unset, no displayname will be set. - # - #displayname_attribute: name - - # It is possible to configure Synapse to only allow logins if CAS attributes - # match particular values. All of the keys in the mapping below must exist - # and the values must match the given value. Alternately if the given value - # is None then any value is allowed (the attribute just must exist). - # All of the listed attributes must match for the login to be permitted. - # - #required_attributes: - # userGroup: "staff" - # department: None - - -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. - # - # By default, this list is empty. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. - # - # When rendering, this template is given three variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. Needs manual escaping - # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * server_name: the homeserver's name. - # - # * HTML page which notifies the user that they are authenticating to confirm - # an operation on their account during the user interactive authentication - # process: 'sso_auth_confirm.html'. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * description: the operation which the user is being asked to confirm - # - # * HTML page shown after a successful user interactive authentication session: - # 'sso_auth_success.html'. - # - # Note that this page must include the JavaScript which notifies of a successful authentication - # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). - # - # This template has no additional variables. - # - # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) - # attempts to login: 'sso_account_deactivated.html'. - # - # This template has no additional variables. - # - # * HTML page to display to users if something goes wrong during the - # OpenID Connect authentication process: 'sso_error.html'. - # - # When rendering, this template is given two variables: - # * error: the technical name of the error - # * error_description: a human-readable message for the error - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# JSON web token integration. The following settings can be used to make -# Synapse JSON web tokens for authentication, instead of its internal -# password database. -# -# Each JSON Web Token needs to contain a "sub" (subject) claim, which is -# used as the localpart of the mxid. -# -# Additionally, the expiration time ("exp"), not before time ("nbf"), -# and issued at ("iat") claims are validated if present. -# -# Note that this is a non-standard login type and client support is -# expected to be non-existent. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. -# -#jwt_config: - # Uncomment the following to enable authorization using JSON web - # tokens. Defaults to false. - # - #enabled: true - - # This is either the private shared secret or the public key used to - # decode the contents of the JSON web token. - # - # Required if 'enabled' is true. - # - #secret: "provided-by-your-issuer" - - # The algorithm used to sign the JSON web token. - # - # Supported algorithms are listed at - # https://pyjwt.readthedocs.io/en/latest/algorithms.html - # - # Required if 'enabled' is true. - # - #algorithm: "provided-by-your-issuer" - - # The issuer to validate the "iss" claim against. - # - # Optional, if provided the "iss" claim will be required and - # validated for all JSON web tokens. - # - #issuer: "provided-by-your-issuer" - - # A list of audiences to validate the "aud" claim against. - # - # Optional, if provided the "aud" claim will be required and - # validated for all JSON web tokens. - # - # Note that if the "aud" claim is included in a JSON web token then - # validation will fail without configuring audiences. - # - #audiences: - # - "provided-by-your-issuer" - - -password_config: - # Uncomment to disable password login - # - #enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - - # Define and enforce a password policy. Each parameter is optional. - # This is an implementation of MSC2000. - # - policy: - # Whether to enforce the password policy. - # Defaults to 'false'. - # - #enabled: true - - # Minimum accepted length for a password. - # Defaults to 0. - # - #minimum_length: 15 - - # Whether a password must contain at least one digit. - # Defaults to 'false'. - # - #require_digit: true - - # Whether a password must contain at least one symbol. - # A symbol is any character that's not a number or a letter. - # Defaults to 'false'. - # - #require_symbol: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_lowercase: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_uppercase: true - -ui_auth: - # The number of milliseconds to allow a user-interactive authentication - # session to be active. - # - # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to alow a single - # validation to be re-used. This weakens the protections afforded by - # the user-interactive authentication process, by allowing for multiple - # (and potentially different) operations to use the same validation session. - # - # Uncomment below to allow for credential validation to last for 15 - # seconds. - # - #session_timeout: 15000 - - -{% if matrix_synapse_email_enabled %} -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - - # Enable sending emails for messages that the user has missed - # - #enable_notifs: false - enable_notifs: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - - # app_name defines the default value for '%(app)s' in notif_from and email - # subjects. It defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - app_name: Matrix - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - notif_for_new_users: True - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * An HTML page that a user will see when they follow the link in the password - # reset email. The user will be asked to confirm the action before their - # password is reset: 'password_reset_confirmation.html' - # - # * HTML pages for success and failure that a user will see when they confirm - # the password reset flow using the page above: 'password_reset_success.html' - # and 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - # Subjects to use when sending emails from Synapse. - # - # The placeholder '%(app)s' will be replaced with the value of the 'app_name' - # setting above, or by a value dictated by the Matrix client application. - # - # If a subject isn't overridden in this configuration file, the value used as - # its example will be used. - # - #subjects: - - # Subjects for notification emails. - # - # On top of the '%(app)s' placeholder, these can use the following - # placeholders: - # - # * '%(person)s', which will be replaced by the display name of the user(s) - # that sent the message(s), e.g. "Alice and Bob". - # * '%(room)s', which will be replaced by the name of the room the - # message(s) have been sent to, e.g. "My super room". - # - # See the example provided for each setting to see which placeholder can be - # used and how to use them. - # - # Subject to use to notify about one message from one or more user(s) in a - # room which has a name. - #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." - # - # Subject to use to notify about one message from one or more user(s) in a - # room which doesn't have a name. - #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages from one or more users in - # a room which doesn't have a name. - #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages in a room which has a - # name. - #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." - # - # Subject to use to notify about multiple messages in multiple rooms. - #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." - # - # Subject to use to notify about multiple messages from multiple persons in - # multiple rooms. This is similar to the setting above except it's used when - # the room in which the notification was triggered has no name. - #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." - # - # Subject to use to notify about an invite to a room which has a name. - #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." - # - # Subject to use to notify about an invite to a room which doesn't have a - # name. - #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." - - # Subject for emails related to account administration. - # - # On top of the '%(app)s' placeholder, these one can use the - # '%(server_name)s' placeholder, which will be replaced by the value of the - # 'server_name' setting in your Synapse configuration. - # - # Subject to use when sending a password reset email. - #password_reset: "[%(server_name)s] Password reset" - # - # Subject to use when sending a verification email to assert an address's - # ownership. - #email_validation: "[%(server_name)s] Validate your email" -{% endif %} - -# Password providers allow homeserver administrators to integrate -# their Synapse installation with existing authentication methods -# ex. LDAP, external tokens, etc. -# -# For more information and known implementations, please see -# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md -# -# Note: instances wishing to use SAML or CAS authentication should -# instead use the `saml2_config` or `cas_config` options, -# respectively. -# -# password_providers: -# # Example config for an LDAP auth provider -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" -{% if matrix_synapse_password_providers_enabled %} -password_providers: -{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} -{% endif %} -{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - - module: "rest_auth_provider.RestAuthProvider" - config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} - policy: - registration: - username: - enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} - login: - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} -{% endif %} -{% if matrix_synapse_ext_password_provider_ldap_enabled %} - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} -{% endif %} -{% endif %} - - -## Push ## - -push: - # Clients requesting push notifications can either have the body of - # the message sent in the notification poke along with other details - # like the sender, or just the event ID and room ID (`event_id_only`). - # If clients choose the former, this option controls whether the - # notification request includes the content of the event (other details - # like the sender are still included). For `event_id_only` push, it - # has no effect. - # - # For modern android devices the notification content will still appear - # because it is loaded by the app. iPhone, however will send a - # notification saying only that a message arrived and who it came from. - # - # The default value is "true" to include message details. Uncomment to only - # include the event ID and room ID in push notification payloads. - # - include_content: {{ matrix_synapse_push_include_content|to_json }} - - # When a push notification is received, an unread count is also sent. - # This number can either be calculated as the number of unread messages - # for the user, or the number of *rooms* the user has unread messages in. - # - # The default value is "true", meaning push clients will see the number of - # rooms with unread messages in them. Uncomment to instead send the number - # of unread messages. - # - #group_unread_count_by_room: false - - -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -# spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] -spam_checker: {{ matrix_synapse_spam_checker|to_json }} - - -## Rooms ## - -# Controls whether locally-created rooms should be end-to-end encrypted by -# default. -# -# Possible options are "all", "invite", and "off". They are defined as: -# -# * "all": any locally-created room -# * "invite": any room created with the "private_chat" or "trusted_private_chat" -# room creation presets -# * "off": this option will take no effect -# -# The default value is "off". -# -# Note that this option will only affect rooms created after it is set. It -# will also not affect rooms created by other servers. -# -#encryption_enabled_by_default_for_room_type: invite - - -# Uncomment to allow non-server-admin users to create groups on this server -# -enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial_" - - - -# User Directory configuration -# -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy -# - - - -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# -# -#stats: -# enabled: true -# bucket_size: 1d -# retention: 1y - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By default, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - - # Logging whether spans were started and reported - # - # logging: - # false - - -## Workers ## - -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false - -# It is possible to run multiple federation sender workers, in which case the -# work is balanced across them. -# -# This configuration must be shared between all federation sender workers, and if -# changed all federation sender workers must be stopped at the same time and then -# started, to ensure that all instances are running with the same config (otherwise -# events may be dropped). -# -#federation_sender_instances: -# - federation_sender1 - -# When using workers this should be a map from `worker_name` to the -# HTTP replication listener of the worker, if configured. -# -#instance_map: -# worker1: -# host: localhost -# port: 8034 - -# Experimental: When using workers you can define which workers should -# handle event persistence and typing notifications. Any worker -# specified here must also be in the `instance_map`. -# -#stream_writers: -# events: worker1 -# typing: worker1 - -# The worker that is used to run background tasks (e.g. cleaning up expired -# data). If not provided this defaults to the main process. -# -#run_background_tasks_on: worker1 - -# A shared secret used by the replication APIs to authenticate HTTP requests -# from workers. -# -# By default this is unused and traffic is not authenticated. -# -#worker_replication_secret: "" - - -# Configuration for Redis when using workers. This *must* be enabled when -# using workers (unless using old style direct TCP configuration). -# -redis: - # Uncomment the below to enable Redis support. - # - #enabled: true - - # Optional host and port to use to connect to redis. Defaults to - # localhost and 6379 - # - #host: localhost - #port: 6379 - - # Optional password if configured on the Redis instance - # - #password: - -# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 deleted file mode 100644 index 2955efdd..00000000 --- a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} -AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 deleted file mode 100644 index 44ec3d4a..00000000 --- a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Goofys media store -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill %n -ExecStartPre=-{{ matrix_host_command_docker }} rm %n - -ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src=/etc/group,dst=/etc/group,ro \ - --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ - --entrypoint /bin/sh \ - {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' - -TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} -Restart=always -RestartSec=5 -SyslogIdentifier=matrix-goofys - -[Install] -WantedBy=multi-user.target From 265d0485979dde74511dc89387b4146d23188353 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:33:19 -0600 Subject: [PATCH 122/202] Upgrade Dendrite (0.3.6 -> 0.3.8) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d231553e..ab472be5 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_tag: "v0.3.8" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From cde2504966ae50c33c8896fbb4ea6f2c4418db07 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Thu, 11 Feb 2021 13:25:56 +1100 Subject: [PATCH 123/202] Upgrade Dendrite (0.3.8 -> 0.3.9) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ab472be5..d6dd7910 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.8" +matrix_dendrite_docker_image_tag: "v0.3.9" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 953a9ac7188d39e05f477efa98201900f6b800b9 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Tue, 6 Apr 2021 09:56:34 +1000 Subject: [PATCH 124/202] Upgrade Dendrite (0.3.9 -> 0.3.11) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d6dd7910..4f7f6a92 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.9" +matrix_dendrite_docker_image_tag: "v0.3.11" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From ccd3dc7a573ad136ecfad1b386fafadc64281213 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 14:14:21 +0300 Subject: [PATCH 125/202] Remove Dendrite file logging We refrain from logging to files for all components, because we rely on systemd-journald anyway. --- roles/matrix-dendrite/defaults/main.yml | 4 ---- .../tasks/dendrite/setup_install.yml | 8 ------- .../templates/dendrite/dendrite.yaml.j2 | 22 ++++++++----------- .../systemd/matrix-dendrite.service.j2 | 1 - .../matrix-dendrite-create-account.j2 | 2 +- 5 files changed, 10 insertions(+), 27 deletions(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 4f7f6a92..1d80e0b0 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -53,10 +53,6 @@ matrix_dendrite_max_file_size_bytes: 10485760 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 -# Log levels -matrix_dendrite_log_level: "warning" -matrix_dendrite_log_path: "/var/log/dendrite" - # Rate limits matrix_dendrite_rate_limiting_enabled: true matrix_dendrite_rate_limiting_threshold: 5 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 182b6c1c..2752d51e 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -17,14 +17,6 @@ group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" -- name: Ensure Dendrite log path exists - file: - path: "{{ matrix_dendrite_log_path }}" - state: directory - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure Dendrite Docker image is pulled docker_image: name: "{{ matrix_dendrite_docker_image }}" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2ec6c088..5a127fb7 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -6,7 +6,7 @@ # # At a minimum, to get started, you will need to update the settings in the # "global" section for your deployment, and you will need to check that the -# database "connection_string" line in each component section is correct. +# database "connection_string" line in each component section is correct. # # Each component with a "database" section can accept the following formats # for "connection_string": @@ -21,13 +21,13 @@ # small number of users and likely will perform worse still with a higher volume # of users. # -# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# The "max_open_conns" and "max_idle_conns" settings configure the maximum # number of open/idle database connections. The value 0 will use the database # engine default, and a negative value will use unlimited connections. The # "conn_max_lifetime" option controls the maximum length of time a database # connection can be idle in seconds - a negative value is unlimited. -# The version of the configuration file. +# The version of the configuration file. version: 1 # Global Matrix configuration. This configuration applies to all components. @@ -133,13 +133,13 @@ client_api: # Whether to require reCAPTCHA for registration. enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} - # Settings for ReCAPTCHA. + # Settings for ReCAPTCHA. recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} recaptcha_bypass_secret: "" recaptcha_siteverify_api: "" - # TURN server information that this homeserver should send to clients. + # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" turn_uris: {{ matrix_dendrite_turn_uris|to_json }} @@ -148,7 +148,7 @@ client_api: turn_password: "" # Settings for rate-limited endpoints. Rate limiting will kick in after the - # threshold number of "slots" have been taken by requests from a specific + # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} @@ -192,7 +192,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -282,7 +282,7 @@ signing_key_server: public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw - key_id: ed25519:a_RXGa public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ - + # This option will control whether Dendrite will prefer to look up keys directly # or whether it should try perspective servers first, using direct fetches as a # last resort. @@ -335,8 +335,4 @@ tracing: # Logging configuration, in addition to the standard logging that is sent to # stdout by Dendrite. -logging: -- type: file - level: {{ matrix_dendrite_log_level }} - params: - path: /var/log/dendrite +logging: [] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 66a7c1f8..b41f6c2c 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -37,7 +37,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ {% for volume in matrix_dendrite_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index ebacb681..d9572ac7 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" From 5b148921a026d72c92ab6e81d83d345926ba0e7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 15:06:29 +0300 Subject: [PATCH 126/202] Upgrade Dendrite (0.3.11 -> 0.5.0) and update configuration This brings dendrite.yaml up to date and cleans things up a bit. --- group_vars/matrix_servers | 8 +- roles/matrix-dendrite/defaults/main.yml | 9 ++- .../tasks/dendrite/setup_install.yml | 2 +- .../matrix-dendrite/tasks/validate_config.yml | 3 +- .../templates/dendrite/dendrite.yaml.j2 | 73 ++++++++++++++++--- 5 files changed, 77 insertions(+), 18 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18351f32..51d7dee4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1548,6 +1548,10 @@ matrix_postgres_additional_databases: | 'name': matrix_dendrite_device_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mscs_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + ([{ @@ -2184,7 +2188,9 @@ matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_prox # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1d80e0b0..e8e307ed 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.11" +matrix_dendrite_docker_image_tag: "v0.5.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" @@ -43,10 +43,10 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_macaroon_secret_key: "" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +# A secret used to derive various other secrets +matrix_dendrite_generic_secret_key: '' +matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false -matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" matrix_dendrite_max_file_size_bytes: 10485760 @@ -101,6 +101,7 @@ matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" matrix_dendrite_syncapi_database: "dendrite_syncapi" matrix_dendrite_account_database: "dendrite_account" matrix_dendrite_device_database: "dendrite_device" +matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2752d51e..2e319e17 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -36,7 +36,7 @@ command: | docker run --rm - --name=matrix-config + --name=matrix-dendrite-config --entrypoint=generate-keys --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 8c7ee4d2..9e7db426 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,8 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_macaroon_secret_key" + - "matrix_dendrite_generic_secret_key" + - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings fail: diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 5a127fb7..f5744dd5 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -33,9 +33,11 @@ version: 1 # Global Matrix configuration. This configuration applies to all components. global: # The domain name of this homeserver. - server_name: {{ matrix_domain }} + server_name: {{ matrix_domain|to_json }} # The path to the signing private key file, used to sign requests and events. + # Note that this is NOT the same private key as used for TLS! To generate a + # signing key, use "./bin/generate-keys --private-key matrix_key.pem". private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) @@ -52,16 +54,23 @@ global: # considered valid by other homeservers. key_validity_period: 168h0m0s + # The server name to delegate server-server communications to, with optional port + # e.g. localhost:443 + well_known_server_name: "" + # Lists of domains that the server will trust as identity servers to verify third # party identifiers such as phone numbers and email addresses. trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + # Disables federation. Dendrite will not be able to make any outbound HTTP requests + # to other servers and the federation API will not be exposed. + disable_federation: false + # Configuration for Kafka/Naffka. kafka: # List of Kafka broker addresses to connect to. This is not needed if using # Naffka in monolith mode. - addresses: - - kafka:9092 + addresses: [] # The prefix to use for Kafka topic names for this homeserver. Change this only if # you are running more than one Dendrite homeserver on the same Kafka deployment. @@ -72,6 +81,12 @@ global: # Kafka. use_naffka: true + # The max size a Kafka message is allowed to use. + # You only need to change this value, if you encounter issues with too large messages. + # Must be less than/equal to "max.message.bytes" configured in Kafka. + # Defaults to 8388608 bytes. + # max_message_bytes: 8388608 + # Naffka database options. Not required when using Kafka. naffka_database: connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable @@ -82,12 +97,12 @@ global: # Configuration for Prometheus metric collection. metrics: # Whether or not Prometheus metrics are enabled. - enabled: {{ matrix_dendrite_metrics_enabled }} + enabled: {{ matrix_dendrite_metrics_enabled|to_json }} # HTTP basic authentication to protect access to monitoring. basic_auth: - username: {{ matrix_dendrite_metrics_username }} - password: {{ matrix_dendrite_metrics_password }} + username: {{ matrix_dendrite_metrics_username|to_json }} + password: {{ matrix_dendrite_metrics_password|to_json }} # DNS cache options. The DNS cache may reduce the load on DNS servers # if there is no local caching resolver available for use. @@ -98,7 +113,7 @@ global: # Maximum number of entries to hold in the DNS cache, and # for how long those items should be considered valid in seconds. cache_size: 256 - cache_lifetime: 300 + cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more # Configuration for the Appservice API. app_service_api: @@ -111,6 +126,11 @@ app_service_api: max_idle_conns: 2 conn_max_lifetime: -1 + # Disable the validation of TLS certificates of appservices. This is + # not recommended in production since it may allow appservice traffic + # to be sent to an unverified endpoint. + disable_tls_validation: false + # Appservice configuration files to load into this homeserver. config_files: {{ matrix_dendrite_app_service_config_files|to_json }} @@ -192,7 +212,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -229,8 +249,9 @@ media_api: base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" # The maximum allowed file size (in bytes) for media uploads to this homeserver - # (0 = unlimited). - max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + # (0 = unlimited). If using a reverse proxy, ensure it allows requests at + # least this large (e.g. client_max_body_size in nginx.) + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. dynamic_thumbnails: false @@ -250,6 +271,19 @@ media_api: height: 480 method: scale +# Configuration for experimental MSC's +mscs: + # A list of enabled MSC's + # Currently valid values are: + # - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836) + # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946) + mscs: [] + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable + max_open_conns: 5 + max_idle_conns: 2 + conn_max_lifetime: -1 + # Configuration for the Room Server. room_server: internal_api: @@ -261,7 +295,7 @@ room_server: max_idle_conns: 2 conn_max_lifetime: -1 -# Configuration for the Server Key API (for server signing keys). +# Configuration for the Signing Key Server (for server signing keys). signing_key_server: internal_api: listen: http://0.0.0.0:7780 @@ -301,8 +335,20 @@ sync_api: max_idle_conns: 2 conn_max_lifetime: -1 + # This option controls which HTTP header to inspect to find the real remote IP + # address of the client. This is likely required if Dendrite is running behind + # a reverse proxy server. + # real_ip_header: X-Real-IP + # Configuration for the User API. user_api: + # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31 + # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information. + # Setting this lower makes registration/login consume less CPU resources at the cost of security + # should the database be compromised. Setting this higher makes registration/login consume more + # CPU resources but makes it harder to brute force password hashes. + # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds) + # bcrypt_cost: 10 internal_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 @@ -316,6 +362,11 @@ user_api: max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 + # The length of time that a token issued for a relying party from + # /_matrix/client/r0/user/{userId}/openid/request_token endpoint + # is considered to be valid in milliseconds. + # The default lifetime is 3600000ms (60 minutes). + # openid_token_lifetime_ms: 3600000 # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on From b2b62b722154c921bfb114a5dffc999149725d9c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Nov 2021 17:51:05 +0200 Subject: [PATCH 127/202] Add a variable to control Dendrite's disable_federation setting --- roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index e8e307ed..61e5f710 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -114,6 +114,10 @@ matrix_dendrite_trusted_id_servers: - "matrix.org" - "vector.im" +# Controls whether Dendrite will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_dendrite_disable_federation: false + # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index f5744dd5..2559be15 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: false + disable_federation: {{ matrix_dendrite_disable_federation|to_json }} # Configuration for Kafka/Naffka. kafka: From 63968cb04f5c375ff3e2e13417bcb5b2e31cb919 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:17:34 +0200 Subject: [PATCH 128/202] Upgrade Dendrite (0.5.0 -> 0.5.1) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 61e5f710..1c1e7596 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.5.0" +matrix_dendrite_docker_image_tag: "v0.5.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 3cf9f87097940c13a7839c050a40c58cbbc4facd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 19:00:17 +0200 Subject: [PATCH 129/202] Add matrix_homeserver_implementation, tracking the current homeserver implementation The goal is to have a single variable which tells us which homeserver software is in use. Much simpler than having if/elif/elif checks for variables like (`matrix_synapse_enabled` and `matrix_dendrite_enabled`, etc.) everywhere. --- group_vars/matrix_servers | 11 +++++++++++ roles/matrix-base/defaults/main.yml | 7 +++++++ roles/matrix-base/tasks/sanity_check.yml | 11 +++++++++++ roles/matrix-base/vars/main.yml | 2 +- 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 51d7dee4..b40d6298 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,6 +17,17 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### +matrix_homeserver_enabled_implementations_list: | + {{ + ( + (['synapse'] if matrix_synapse_enabled else []) + + + (['dendrite'] if matrix_dendrite_enabled else []) + ) + }} + +matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" + matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9b137bae..9fc14e8a 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -7,6 +7,13 @@ # Example value: example.com matrix_domain: ~ +# This will contain the homeserver implementation that is in use. +# Example values: 'synapse', 'dendrite', etc. +# You normally don't need to set this variable manually. +# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables +# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) +matrix_homeserver_implementation: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 265dc282..1e525b80 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,5 +1,16 @@ --- +- name: Fail if 0 or more than 1 homeserver implementations enabled + fail: + msg: >- + You have 0 or more than 1 homeserver implementations enabled + ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). + + If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. + + If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). + when: "matrix_homeserver_enabled_implementations_list|length != 1" + # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 fail: diff --git a/roles/matrix-base/vars/main.yml b/roles/matrix-base/vars/main.yml index e4e9c166..8b99708b 100644 --- a/roles/matrix-base/vars/main.yml +++ b/roles/matrix-base/vars/main.yml @@ -1,3 +1,3 @@ # This will contain a list of enabled services that the playbook is managing. # Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] \ No newline at end of file +matrix_systemd_services_list: [] From 2f57c5173347584ea2e07e2472656b5e0beca57d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:38:00 +0200 Subject: [PATCH 130/202] Remove useless check Since 025a5ab5e5f6bdb3, we do a similar check in matrix-base. --- roles/matrix-dendrite/tasks/init.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 8457c63d..28709469 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -5,8 +5,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -- name: Fail when using also using Synapse - fail: - msg: "To use Dendrite as your matrix server, you should disable Synapse." - when: "matrix_dendrite_enabled and matrix_synapse_enabled" From ecc237bbad4b21edce37faba67864a36fde5a5cb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:50:44 +0200 Subject: [PATCH 131/202] Initial work on getting nginx reverse proxying working with Dendrite --- group_vars/matrix_servers | 30 +++++++-- roles/matrix-dendrite/defaults/main.yml | 14 +++- .../tasks/dendrite/setup_install.yml | 2 +- roles/matrix-dendrite/tasks/main.yml | 4 +- .../tasks/self_check_client_api.yml | 4 +- .../tasks/self_check_federation_api.yml | 7 +- .../templates/dendrite/dendrite.yaml.j2 | 2 +- .../systemd/matrix-dendrite.service.j2 | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 25 ++++--- .../tasks/setup_nginx_proxy.yml | 13 ++++ .../nginx/conf.d/matrix-dendrite.conf.j2 | 67 +++++++++++++++++++ 11 files changed, 143 insertions(+), 28 deletions(-) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b40d6298..587ef243 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1365,7 +1365,13 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- + {{ + { + 'synapse': matrix_synapse_max_upload_size_mb, + 'dendrite': (matrix_dendrite_max_file_size_bytes / 1024 / 1024) | round, + }[matrix_homeserver_implementation]|int + }} matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" @@ -1391,19 +1397,29 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- + {{ + { + 'synapse': (matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled), + 'dendrite': matrix_dendrite_federation_enabled, + }[matrix_homeserver_implementation]|bool + }} + matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" -# Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" - matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" - +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" + # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2221,6 +2237,8 @@ matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1c1e7596..11952ce7 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,6 +14,15 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" +matrix_dendrite_container_http_bind_port: 8008 + +# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" + +# Dendrite monolith exposes both the Client API and the Federation API on the same port +matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" +matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" + # Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -116,7 +125,10 @@ matrix_dendrite_trusted_id_servers: # Controls whether Dendrite will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. -matrix_dendrite_disable_federation: false +matrix_dendrite_federation_enabled: true + +# Controls whether the self-check feature should validate SSL certificates. +matrix_dendrite_self_check_validate_certificates: true # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2e319e17..3e3b2199 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -68,7 +68,7 @@ - name: Ensure systemd reloaded after matrix-dendrite.service installation service: daemon_reload: yes - when: "matrix_dendrite_systemd_service_result.changed" + when: "matrix_dendrite_systemd_service_result.changed|bool" - name: Ensure matrix-dendrite-create-account script created template: diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index 6c25f190..e44134a5 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -22,14 +22,14 @@ - import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check - import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml index d3fb1f0d..7c2f6b5e 100644 --- a/roles/matrix-dendrite/tasks/self_check_client_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -7,14 +7,12 @@ register: result_matrix_dendrite_client_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Client API not working fail: msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" - when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + when: "(result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" - name: Report working Matrix Client API debug: msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" - when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml index f11601d7..a7c60a67 100644 --- a/roles/matrix-dendrite/tasks/self_check_federation_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -7,19 +7,18 @@ register: result_matrix_dendrite_federation_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Federation API not working fail: msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + when: "matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" - name: Fail if Matrix Federation API unexpectedly enabled fail: msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." - when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + when: "not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" - name: Report working Matrix Federation API debug: msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" + when: "matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2559be15..c512904e 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: {{ matrix_dendrite_disable_federation|to_json }} + disable_federation: {{ (not matrix_dendrite_federation_enabled)|to_json }} # Configuration for Kafka/Naffka. kafka: diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index b41f6c2c..48067c0e 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -44,7 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {{ arg }} \ {% endfor %} {{ matrix_dendrite_docker_image }} \ - --config /data/dendrite.yaml + -config /data/dendrite.yaml \ + -http-bind-address {{ matrix_dendrite_container_http_bind_address }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 74f53e67..749d9391 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -111,14 +111,28 @@ matrix_nginx_proxy_access_log_enabled: true matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" -# Controls whether proxying the Synapse domain should be done. +# Controls whether proxying for Synapse should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" - +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# Controls whether proxying for Dendrite should be done. +matrix_nginx_proxy_proxy_dendrite_enabled: false +matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# The addresses where the Matrix Client API is, when using Dendrite. +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf). +matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: [] # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false @@ -200,10 +214,6 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" -# The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" - # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 @@ -268,9 +278,6 @@ matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). -matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] - # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 5ddbb19d..e5021468 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -67,6 +67,19 @@ state: absent when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_dendrite_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for Element domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 new file mode 100644 index 00000000..9776085e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -0,0 +1,67 @@ +#jinja2: lstrip_blocks: "True" + +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% for configuration_block in matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# Everything else just goes to the API server ##} + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} +server { + listen 12088; + + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} From 3b9d5b13e96dd94ee014d0a58bbeeef0b6deb952 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:26:31 +0200 Subject: [PATCH 132/202] Add support for not serving Dendrite federation APIs on the client port Seems like Dendrite encourages serving both the Client and Federation API at the same port. Coming from Synapse and how things are done there, we have separate ports. Using separate ports probably makes matrix-corporal (etc.) integration easier, so separating the APIs by default probably makes sense. --- roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ .../templates/nginx/conf.d/matrix-dendrite.conf.j2 | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 749d9391..1feea6b7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_dendrite_enabled: false matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. +# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too. +matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true # The addresses where the Matrix Client API is, when using Dendrite. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 index 9776085e..939156a3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -14,6 +14,16 @@ server { {{- configuration_block }} {% endfor %} + {% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %} + location /_matrix/federation { + {% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} + return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}'; + {% else %} + return 404 'This Matrix server is running with federation disabled'; + {% endif %} + } + {% endif %} + {# Everything else just goes to the API server ##} location / { {% if matrix_nginx_proxy_enabled %} From 9f6e8f5eaf2fd19200fb6533f4e524f32dffc892 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:37:43 +0200 Subject: [PATCH 133/202] Remove matrix_s3 references from matrix-dendrite role All the `matrix_s3_*` stuff happens in the `matrix-synapse` role. If we are to have such S3 support for Dendrite, we should probably extract it out of the `matrix-synapse` role (into a `matrix-s3` role or `matrix-goofys`, etc.) and wire `matrix-dendrite` accordingly. This may or may not be done in the future though. For now, I'm cleaning things up in the `matrix-dendrite` role. --- roles/matrix-dendrite/tasks/init.yml | 4 ---- roles/matrix-dendrite/tasks/setup_dendrite.yml | 5 +---- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ------ 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 28709469..2e2e551a 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -1,7 +1,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" when: matrix_dendrite_enabled|bool - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 9fa8f566..04c3a7fe 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -9,9 +9,6 @@ with_items: - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } - { path: "{{ matrix_dendrite_ext_path }}", when: true } - # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), - # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. - when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + when: "matrix_dendrite_enabled|bool and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 48067c0e..647d0756 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -15,12 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite -{% if matrix_s3_media_store_enabled %} -# Allow for some time before starting, so that media store can mount. -# Mounting can happen later too, but if we start writing, -# we'd write files to the local filesystem and fusermount will complain. -ExecStartPre={{ matrix_host_command_sleep }} 3 -{% endif %} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ From b297e8ee2b92761dd6fd35c7a8a10134bf2d2c6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:56:32 +0200 Subject: [PATCH 134/202] Delay Dendrite startup so that matrix-postgres.service can start --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 647d0756..a67a3c20 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -16,6 +16,12 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its matrix-postgres dependency. +# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). +ExecStartPre={{ matrix_host_command_sleep }} 5 +{% endif %} + ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From f8a8d7d31033854188fdb27e055b7cb9dcd6e2f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:28:27 +0200 Subject: [PATCH 135/202] Fix /usr/local/bin/matrix-dendrite-create-account We also need to fix `--tags=register-user`. This tag is currently defined in both the `matrix-synapse` and `matrix-dendrite` roles. --- .../dendrite/usr-local-bin/matrix-dendrite-create-account.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index d9572ac7..5332b964 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" From 2bd33e5cf2d8000e2aed991c63decdad7bcb4a89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:40:34 +0200 Subject: [PATCH 136/202] Make --tags=register-user work for both Dendrite/Synapse Also get rid of `--tags=update-user-password` in the `matrix-dendrite` role, as what we had doesn't work. We may be able to do it with some Ansible helper or something else. For now, we'll omit this feature. --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-dendrite/tasks/main.yml | 7 +--- .../tasks/update_user_password.yml | 41 ------------------- roles/matrix-synapse/tasks/main.yml | 4 +- 4 files changed, 4 insertions(+), 49 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9fc14e8a..2356c19d 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -228,6 +228,7 @@ run_synapse_register_user: true run_synapse_update_user_password: true run_synapse_import_media_store: true run_synapse_rust_synapse_compress_state: true +run_dendrite_register_user: true run_setup: true run_self_check: true run_start: true diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index e44134a5..815135d7 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -15,7 +15,7 @@ - setup-dendrite - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_dendrite_register_user|bool + when: run_dendrite_register_user|bool and matrix_dendrite_enabled|bool tags: - register-user @@ -33,11 +33,6 @@ tags: - self-check -- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_dendrite_update_user_password|bool - tags: - - update-user-password - - name: Mark matrix-dendrite role as executed set_fact: matrix_dendrite_role_executed: true diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml deleted file mode 100644 index 5fbd23c2..00000000 --- a/roles/matrix-dendrite/tasks/update_user_password.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Fail if playbook called incorrectly - fail: - msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" - when: "username is not defined or username == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" - when: "password is not defined or password == ''" - -- name: Fail if not using matrix-postgres container - fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled|bool" - -- name: Ensure matrix-dendrite is started - service: - name: matrix-dendrite - state: started - daemon_reload: yes - register: start_result - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: postgres_start_result - -- name: Wait a while, so that Matrix Dendrite can manage to start - pause: - seconds: 7 - when: "start_result.changed or postgres_start_result.changed" - -- name: Generate password hash - shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" - register: password_hash - -- name: Update user password hash - command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 8bf1c563..17eef9cc 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -20,7 +20,7 @@ - import-synapse-media-store - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user|bool + when: run_synapse_register_user|bool and matrix_synapse_enabled|bool tags: - register-user @@ -39,7 +39,7 @@ - self-check - import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password|bool + when: run_synapse_update_user_password|bool and matrix_synapse_enabled|bool tags: - update-user-password From 38ec546b8b0f0d5d4d2c4104b9c32af9f14e650a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 14:48:59 +0200 Subject: [PATCH 137/202] Only trust own identity server in Dendrite config, if ma1sd enabled --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 587ef243..788aeca4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2239,6 +2239,8 @@ matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) From 32bbcf5ed6aae6da40ccee86e56ebf236707986c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:14:30 +0200 Subject: [PATCH 138/202] Fix incorrect definition --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 788aeca4..70cedf32 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1410,7 +1410,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" From 4139290cc9834c6ecba5b2371199b7874acf617d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:23:41 +0200 Subject: [PATCH 139/202] Rename some variables for consistency --- group_vars/matrix_servers | 16 ++++---- roles/matrix-dendrite/defaults/main.yml | 41 ++++++++++++------- .../systemd/matrix-dendrite.service.j2 | 16 +++++--- 3 files changed, 45 insertions(+), 28 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 70cedf32..9c011b4e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1415,10 +1415,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-syn matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2209,11 +2209,11 @@ matrix_postgres_backup_databases: | # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. # -# For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# For exposing Dendrite's plain HTTP server to the local host. +matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port|string) }}" # -# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. -matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" +# For exposing Dendrite's HTTPS server to the local host. +matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 11952ce7..8cd4c168 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,31 +14,42 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" -matrix_dendrite_container_http_bind_port: 8008 +# By default, we make Dendrite only serve HTTP (not HTTPS). +# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). +# +# To enable HTTPS serving by Dendrite (directly): +# - `matrix_dendrite_https_bind_port` must be set +# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments` +# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes` +matrix_dendrite_http_bind_port: 8008 +matrix_dendrite_https_bind_port: ~ -# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container -matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port|string) if matrix_dendrite_http_bind_port else '' }}" -# Dendrite monolith exposes both the Client API and the Federation API on the same port -matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" -matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-https-bind-address` flag to the Dendrite server in the container +matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port|string) if matrix_dendrite_https_bind_port else '' }}" -# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. -matrix_dendrite_container_client_api_host_bind_port: "" +matrix_dendrite_container_http_host_bind_address: "" -# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). -# -# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) -# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). +# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container). # -# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. -matrix_dendrite_container_federation_api_tls_host_bind_port: "" +# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. +matrix_dendrite_container_https_host_bind_address: "" -# A list of extra arguments to pass to the container +# A list of extra arguments to pass to the container (`docker run` command) matrix_dendrite_container_extra_arguments: [] +# A list of extra arguments to pass to the container process (`dendrite-monolith` command) +# Example: +# matrix_dendrite_process_extra_arguments: +# - "-tls-cert /some/path.crt" +# - "-tls-key /some/path.pem" +matrix_dendrite_process_extra_arguments: [] + # List of systemd services that matrix-dendrite.service depends on matrix_dendrite_systemd_required_services_list: ["docker.service"] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index a67a3c20..4c357fd1 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -29,11 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ - {% if matrix_dendrite_container_client_api_host_bind_port %} - -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} + -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} - {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} - -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %} + -p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ @@ -45,7 +45,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endfor %} {{ matrix_dendrite_docker_image }} \ -config /data/dendrite.yaml \ - -http-bind-address {{ matrix_dendrite_container_http_bind_address }} + {% if matrix_dendrite_http_bind_address %} + -http-bind-address {{ matrix_dendrite_http_bind_address }} + {% endif %} + {% if matrix_dendrite_https_bind_address %} + -https-bind-address {{ matrix_dendrite_https_bind_address }} + {% endif %} + {{ matrix_dendrite_process_extra_arguments|join(' ') }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite From 1dfe21944fc83c8f2c2afe25756b2e9d475c714d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 16:28:34 +0200 Subject: [PATCH 140/202] Make matrix_homeserver_implementation influence matrix_IMPLEMENTATION_enabled, not the other way around Doing this seems more reasonable and simpler. --- examples/vars.yml | 4 ++++ group_vars/matrix_servers | 15 ++++----------- roles/matrix-base/defaults/main.yml | 12 +++++++----- roles/matrix-base/tasks/sanity_check.yml | 12 +++--------- roles/matrix-dendrite/defaults/main.yml | 2 +- 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index f6c86be9..9623ad39 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -10,6 +10,10 @@ # Example value: example.com matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE +# The Matrix homeserver software to install. +# See `roles/matrix-base/defaults/main.yml` for valid options. +matrix_homeserver_implementation: synapse + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9c011b4e..3c2161dc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,17 +17,6 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### -matrix_homeserver_enabled_implementations_list: | - {{ - ( - (['synapse'] if matrix_synapse_enabled else []) - + - (['dendrite'] if matrix_dendrite_enabled else []) - ) - }} - -matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" - matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. @@ -1906,6 +1895,8 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_re # ###################################################################### +matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. @@ -2205,6 +2196,8 @@ matrix_postgres_backup_databases: | # ###################################################################### +matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 2356c19d..c71061f8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -8,11 +8,13 @@ matrix_domain: ~ # This will contain the homeserver implementation that is in use. -# Example values: 'synapse', 'dendrite', etc. -# You normally don't need to set this variable manually. -# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables -# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) -matrix_homeserver_implementation: '' +# Valid values: synapse, dendrite +# +# By default, we use Synapse, because it's the only full-featured Matrix server at the moment. +# +# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.). +# The homeserver implementation of an existing server cannot be changed without data loss. +matrix_homeserver_implementation: synapse # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 1e525b80..b9c8348f 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,15 +1,9 @@ --- -- name: Fail if 0 or more than 1 homeserver implementations enabled +- name: Fail if invalid homeserver implementation fail: - msg: >- - You have 0 or more than 1 homeserver implementations enabled - ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). - - If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. - - If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). - when: "matrix_homeserver_enabled_implementations_list|length != 1" + msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite']" # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 8cd4c168..ed15711e 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -1,7 +1,7 @@ # Dendrite is a second-generation Matrix homeserver currently in Beta # See: https://github.com/matrix-org/dendrite -matrix_dendrite_enabled: false +matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" From 965890bf757ab0d9c6c5223f166f7e49a5ac80c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:00:42 +0200 Subject: [PATCH 141/202] Derive secrets from matrix_homeserver_generic_secret_key, not matrix_synapse_macaroon_secret_key We're trying to move away from implementation-specific variables, hoping for a clean (implementation-neutral) examples/vars.yml file. --- examples/vars.yml | 8 +- group_vars/matrix_servers | 158 +++++++++--------- roles/matrix-base/defaults/main.yml | 3 + roles/matrix-base/tasks/sanity_check.yml | 21 ++- roles/matrix-dendrite/defaults/main.yml | 2 - .../matrix-dendrite/tasks/validate_config.yml | 1 - 6 files changed, 103 insertions(+), 90 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 9623ad39..0f6c1a55 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -14,6 +14,10 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # See `roles/matrix-base/defaults/main.yml` for valid options. matrix_homeserver_implementation: synapse +# A secret used as a base, for generating various other secrets. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_homeserver_generic_secret_key: '' + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -28,10 +32,6 @@ matrix_ssl_lets_encrypt_support_email: '' # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: '' -# A secret used to protect access keys issued by the server. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3c2161dc..a39b4665 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != ' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -242,15 +242,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -280,9 +280,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -291,7 +291,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -322,9 +322,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -332,7 +332,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -363,9 +363,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -373,7 +373,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -404,9 +404,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -415,7 +415,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -450,14 +450,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -493,11 +493,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -505,7 +505,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -535,16 +535,16 @@ matrix_mautrix_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" +matrix_mautrix_twitter_appservice_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" -matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" +matrix_mautrix_twitter_homeserver_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" +matrix_mautrix_twitter_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" ###################################################################### # @@ -574,15 +574,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -608,10 +608,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -628,9 +628,9 @@ matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_se # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -667,15 +667,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -706,15 +706,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -744,9 +744,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -754,7 +754,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -785,15 +785,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -823,15 +823,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -861,15 +861,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -899,15 +899,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -937,7 +937,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1142,7 +1142,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1167,7 +1167,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1226,9 +1226,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1331,7 +1331,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1926,7 +1926,9 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" + +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -2077,7 +2079,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -2153,7 +2155,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # @@ -2208,9 +2210,9 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c71061f8..dc273afd 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -16,6 +16,9 @@ matrix_domain: ~ # The homeserver implementation of an existing server cannot be changed without data loss. matrix_homeserver_implementation: synapse +# This contains a secret, which is used for generating various other secrets later on. +matrix_homeserver_generic_secret_key: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index b9c8348f..298a994c 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -33,14 +33,25 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} +# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. +- name: Fail if matrix_homeserver_generic_secret_key is undefined + fail: + msg: | + The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. + + If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` + to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" + - name: Fail if required variables are undefined fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" + msg: "The `{{ item.var }}` variable must be defined and have a non-null and non-empty value" with_items: - - matrix_domain - - matrix_server_fqn_matrix - - matrix_server_fqn_element - when: "item not in vars or vars[item] is none" + - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} + - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} + - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used fail: diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ed15711e..840ef9ec 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -63,8 +63,6 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -# A secret used to derive various other secrets -matrix_dendrite_generic_secret_key: '' matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 9e7db426..2d2cf4c5 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,6 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_generic_secret_key" - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings From bbbfc0708f662927158df508ba7b10f0b26ad6f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:39:56 +0200 Subject: [PATCH 142/202] Derive matrix_coturn_turn_static_auth_secret from matrix_homeserver_generic_secret_key Doing this further simplifies examples/vars.yml. --- examples/vars.yml | 4 ---- group_vars/matrix_servers | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 0f6c1a55..f5776962 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -28,10 +28,6 @@ matrix_homeserver_generic_secret_key: '' # Example value: someone@example.com matrix_ssl_lets_encrypt_support_email: '' -# A shared secret (between Coturn and Synapse) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a39b4665..4441ca05 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1087,6 +1087,8 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" + matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" From 38ad152c03c39ac1adc7126d86c8280ec8886015 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:48:34 +0200 Subject: [PATCH 143/202] Add Dendrite-awareness to matrix_homeserver_container_url when matrix-nginx-proxy disabled --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4441ca05..27f997e8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -21,7 +21,13 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matri # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. # This is because we explicitly disable them for the main Synapse process. -matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}" +matrix_homeserver_container_url: |- + {{ + 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} ###################################################################### # From 593fc2fa852429211ae364fff58d75f2d7d41400 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:01:48 +0200 Subject: [PATCH 144/202] Replace matrix-synapse.service references with more homeserver-neutral references --- group_vars/matrix_servers | 63 +++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 27f997e8..1ae75535 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -78,7 +78,7 @@ matrix_appservice_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -128,7 +128,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -167,7 +167,7 @@ matrix_appservice_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -206,7 +206,7 @@ matrix_appservice_irc_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -241,7 +241,7 @@ matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -279,7 +279,7 @@ matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -321,7 +321,7 @@ matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -362,7 +362,7 @@ matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -403,7 +403,7 @@ matrix_mautrix_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -443,7 +443,7 @@ matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -492,7 +492,7 @@ matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -534,7 +534,7 @@ matrix_mautrix_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -573,7 +573,7 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -609,7 +609,7 @@ matrix_sms_bridge_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -640,7 +640,7 @@ matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generi matrix_heisenbridge_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -666,7 +666,7 @@ matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -705,7 +705,7 @@ matrix_mx_puppet_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -743,7 +743,7 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -784,7 +784,7 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -822,7 +822,7 @@ matrix_mx_puppet_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -860,7 +860,7 @@ matrix_mx_puppet_steam_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -898,7 +898,7 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -934,9 +934,9 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -997,7 +997,7 @@ matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1026,7 +1026,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1060,10 +1060,9 @@ matrix_corporal_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-synapse.service']) + (['matrix-' + matrix_homeserver_implementation + '.service']) }} -# This goes to Synapse's vhost matrix_corporal_matrix_homeserver_api_endpoint: "{{ matrix_homeserver_container_url }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -1141,9 +1140,9 @@ matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1330,7 +1329,7 @@ matrix_ma1sd_systemd_required_services_list: | matrix_ma1sd_systemd_wanted_services_list: | {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1454,7 +1453,7 @@ matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_worker matrix_nginx_proxy_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + From de49cc5271a907dba11985853a9402f7ccb79ac1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:04:26 +0200 Subject: [PATCH 145/202] Fix matrix_registration_shared_secret for Dendrite --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1ae75535..305d8044 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2145,7 +2145,13 @@ matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" -matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}" +matrix_registration_shared_secret: |- + {{ + { + 'synapse': matrix_synapse_registration_shared_secret, + 'dendrite': matrix_dendrite_registration_shared_secret, + }[matrix_homeserver_implementation] + }} matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" From 05b4572fab77c1da79f21a7aab51c00d97e011e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:13:44 +0200 Subject: [PATCH 146/202] Fix matrix_dimension_homeserver_federationUrl for Dendrite --- group_vars/matrix_servers | 10 +++++++++- roles/matrix-base/defaults/main.yml | 9 +++++++-- roles/matrix-base/tasks/validate_config.yml | 3 ++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 305d8044..864f7702 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -29,6 +29,14 @@ matrix_homeserver_container_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_federation_url: |- + {{ + 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} + ###################################################################### # # /matrix-base @@ -1131,7 +1139,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index dc273afd..be403de7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -103,11 +103,16 @@ matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" -# Specifies where the homeserver is on the container network. -# Where this is depends on whether there's a reverse-proxy in front of it, etc. +# Specifies where the homeserver's Client-Server API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. # This likely gets overriden elsewhere. matrix_homeserver_container_url: "" +# Specifies where the homeserver's Federation API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. +# This likely gets overriden elsewhere. +matrix_homeserver_container_federation_url: "" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 8bb3fca0..84ef2f06 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -6,4 +6,5 @@ You need to define a required configuration setting (`{{ item }}`) for using this playbook. when: "vars[item] == ''" with_items: - - "matrix_homeserver_container_url" \ No newline at end of file + - "matrix_homeserver_container_url" + - "matrix_homeserver_container_federation_url" From 5c3c0d0d588bce8669240c41ff123a45502bad8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:47:50 +0200 Subject: [PATCH 147/202] Set Dendrite's real_ip_header correctly --- group_vars/matrix_servers | 2 ++ roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 1 + 3 files changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864f7702..57319eba 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2231,6 +2231,8 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" +matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" + matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 840ef9ec..23789540 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -68,6 +68,10 @@ matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 +# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. +# This is likely required if Dendrite is running behind a reverse proxy server. +matrix_dendrite_sync_api_real_ip_header: '' + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index c512904e..102dd2f5 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -339,6 +339,7 @@ sync_api: # address of the client. This is likely required if Dendrite is running behind # a reverse proxy server. # real_ip_header: X-Real-IP + real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }} # Configuration for the User API. user_api: From 61c0930325a6f064483bfebb2b05f6f47eb29b50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:31:37 +0200 Subject: [PATCH 148/202] Suppress output for ExecStartPre/ExecStop commands This brings matrix-dendrite.service in line with all the other services. --- .../dendrite/systemd/matrix-dendrite.service.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4c357fd1..e14734dd 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' {% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} # Dendrite is too quick to start in relation to its matrix-postgres dependency. @@ -53,9 +53,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite -ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 SyslogIdentifier=matrix-dendrite From 90c9801c560b66dcbc3e3dda91ce45d3a874022e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:32:06 +0200 Subject: [PATCH 149/202] Use ExecStopPost instead of ExecStop This is the equivalent of b1b4ba501fdfaa43 for the matrix-dendrite role. --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index e14734dd..7592fca8 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -53,8 +53,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 139c574cdbbbed4e2642500eb2ec618a5c0a63ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 12:40:56 +0200 Subject: [PATCH 150/202] Move checks from unused validate_config.yml file elsewhere --- roles/matrix-base/tasks/sanity_check.yml | 8 ++++++-- roles/matrix-base/tasks/validate_config.yml | 10 ---------- 2 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 298a994c..f78510d7 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -39,9 +39,11 @@ msg: | The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. - If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + + If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` - to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + to your `vars.yml` file. Using another secret value for the new variable is also possible and shouldn't cause any trouble. when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" - name: Fail if required variables are undefined @@ -51,6 +53,8 @@ - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url|default('') }}"} + - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url|default('') }}"} when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml deleted file mode 100644 index 84ef2f06..00000000 --- a/roles/matrix-base/tasks/validate_config.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Fail if required Matrix Base settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using this playbook. - when: "vars[item] == ''" - with_items: - - "matrix_homeserver_container_url" - - "matrix_homeserver_container_federation_url" From 0f59c4056ed027c6f497c7bbf5525aaf6ae1d614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 13:32:43 +0200 Subject: [PATCH 151/202] Set up well-known when invoked with the setup-dendrite tag --- roles/matrix-base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 4af3564c..f9db37b3 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -31,4 +31,5 @@ - setup-all - setup-ma1sd - setup-synapse + - setup-dendrite - setup-nginx-proxy From 134c617f34a9b436bc8d6981d84b120c38650b13 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:13:13 +0200 Subject: [PATCH 152/202] Update README --- README.md | 2 ++ docs/container-images.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 63875c5e..af02a3b0 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network +- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. + - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. diff --git a/docs/container-images.md b/docs/container-images.md index 9be48736..cf680d21 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -30,6 +30,8 @@ These services are enabled and used by default, but you can turn them off, if yo These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): +- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional) + - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) - the [Etherpad](https://etherpad.org) realtime collaborative text editor that can be used in a Jitsi audio/video call or integrated as a widget into Matrix chat rooms via the Dimension integration manager (optional) From 5e2f4564bbfc4572832068f564a858f14a1406a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:58:36 +0200 Subject: [PATCH 153/202] Announce Dendrite support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- CHANGELOG.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f6dcc35..5fd3d30f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,40 @@ # 2022-01-07 +## Dendrite support + +**Existing (Synapse) installations need to be updated**, see below. + +[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. + +We believe that 2022 will be the year of the non-Synapse Matrix server! + +The playbook was previously quite [Synapse](https://github.com/matrix-org/synapse)-centric, but can now accommodate multiple homeserver implementations. Only one homeserver implementation can be active (installed) at a given time. + +**Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). + +Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. + +The `vars.yml` file for **existing installations will need to be updated**: + +```yaml +# All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. +# To keep them all the same, define `matrix_homeserver_generic_secret_key` in terms of `matrix_synapse_macaroon_secret_key`. +# Using a new secret value for this configuration key is also possible and should not cause any problems. +# +# Fun fact: new installations (based on the new `examples/vars.yml` file) do this in reverse. +# That is, the Synapse macaroon secret is derived from `matrix_homeserver_generic_secret_key`. +matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" +``` + +Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + +We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! + + ## Honoroit bot support Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. From 6cedeb094ce4a90cd1ddcf8ba3ca43ec82759d6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:23:32 +0200 Subject: [PATCH 154/202] Mention inability to migrate between homeserver implementation --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fd3d30f..570d992e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,8 @@ Finally, **to try out Dendrite**, we recommend that you **use a new server** and matrix_homeserver_implementation: dendrite ``` +**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse to Dendrite) without data loss. + We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! From 425a56c94eda90a18f1ad31bda11e69011fb6b51 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:27:15 +0200 Subject: [PATCH 155/202] Link to Dendrite repository from changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570d992e..3fc0e741 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **Existing (Synapse) installations need to be updated**, see below. -[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. +[Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. We believe that 2022 will be the year of the non-Synapse Matrix server! From 19b5a50805c20ef01fc605505f19a7abea1f195a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:08:55 +0200 Subject: [PATCH 156/202] Derive Honoroit database password from matrix_homeserver_generic_secret_key Related to the work done in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 57319eba..0696b148 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -982,7 +982,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### From 7b093c5ae00bb6ce6e60867a839e5494422f4ba2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:11:22 +0200 Subject: [PATCH 157/202] Move some variables to a more appropriate location --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0696b148..3be4e6ac 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -37,6 +37,9 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" +matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" + ###################################################################### # # /matrix-base @@ -1141,9 +1144,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" -matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" -matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" - matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] From 53dbf2738cc9dcc3cf9f65c4281799a5523f29e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:44:58 +0200 Subject: [PATCH 158/202] Try to improve Dendrite announcement message This is an attempt to address this: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/dc893485d1a3893dfebd2f55c5a45ddb14e1dd74#commitcomment-63097721 --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fc0e741..3b5f1fe0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Dendrite support -**Existing (Synapse) installations need to be updated**, see below. +**TLDR**: We now have optional experimental [Dendrite](https://github.com/matrix-org/dendrite) homeserver support for new installations. **Existing (Synapse) installations need to be updated**, because some internals changed. See [Adapting the configuration for existing Synapse installations](#adapting-the-configuration-for-existing-synapse-installations). [Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. @@ -12,6 +12,8 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps **Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). +### Adapting the configuration for existing Synapse installations + Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. The `vars.yml` file for **existing installations will need to be updated**: @@ -26,6 +28,8 @@ The `vars.yml` file for **existing installations will need to be updated**: matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" ``` +### Trying out Dendrite + Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: ```yaml From 548d495d81d7197df25490424976c1571c7acc5d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:46:24 +0200 Subject: [PATCH 159/202] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b5f1fe0..e9f23468 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. -The `vars.yml` file for **existing installations will need to be updated**: +The `vars.yml` file for **existing installations will need to be updated** by adding this **additional configuration**: ```yaml # All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. From 4e4fb98a65474fd058c61a838db6ac312a09e7df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 14:14:46 +0200 Subject: [PATCH 160/202] Do not install fuse unless necessary Discussed here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1510 --- .../tasks/server_base/setup_archlinux.yml | 2 -- .../tasks/server_base/setup_centos.yml | 1 - .../tasks/server_base/setup_centos8.yml | 3 +-- .../tasks/server_base/setup_debian.yml | 1 - .../tasks/server_base/setup_raspbian.yml | 1 - .../tasks/util/ensure_fuse_installed.yml | 23 +++++++++++++++++++ .../tasks/goofys/setup_install.yml | 2 ++ 7 files changed, 26 insertions(+), 7 deletions(-) create mode 100644 roles/matrix-base/tasks/util/ensure_fuse_installed.yml diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index d08cafc0..6c5cdff8 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,8 +4,6 @@ pacman: name: - python-docker - # TODO This needs to be verified. Which version do we need? - - fuse3 - python-dnspython state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 07776d7f..cbf7fbc6 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml index 01666197..e6127f47 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos8.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -28,7 +28,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes @@ -44,4 +43,4 @@ pip: name: docker-py state: latest - when: matrix_docker_installation_enabled|bool \ No newline at end of file + when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 37706d1f..1cd7ac41 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 421905a0..4aed3c76 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/util/ensure_fuse_installed.yml b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml new file mode 100644 index 00000000..948c6082 --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure fuse installed (CentOS) + yum: + name: + - fuse + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure fuse installed (Debian/Raspbian) + apt: + name: + - fuse + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure fuse installed (Archlinux) + pacman: + name: + - fuse3 + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index b5e95614..147efabf 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,3 +1,5 @@ +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_fuse_installed.yml" + - name: Ensure Goofys Docker image is pulled docker_image: name: "{{ matrix_s3_goofys_docker_image }}" From 817d6833bfc0c5b6d618840d3120098cadbe7855 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 20:06:59 +0200 Subject: [PATCH 161/202] Try to fix self-building for honoroit (fix incorrect Dockerfile path) Hopefully fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1518 --- roles/matrix-bot-honoroit/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 76eeb006..0d2d325b 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -68,7 +68,7 @@ force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: - dockerfile: docker/Dockerfile + dockerfile: Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes when: "matrix_bot_honoroit_container_image_self_build|bool" From 27a4871aea5c5d87c165b93a02b19c3a59db3c8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 9 Jan 2022 12:14:23 +0200 Subject: [PATCH 162/202] Fix variable name typo --- .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index d4aab6e4..e820b0ed 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -21,7 +21,7 @@ - name: Wait some time, so that the required service for obtaining can start wait_for: - timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}" when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" From b50494e5b3016091a2df3fa566019fbe5575181f Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 5 Jan 2022 21:12:22 +0100 Subject: [PATCH 163/202] pin appservice-webhooks version v1.0.2-01 --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 22f68040..32b0cbba 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/ matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: latest +matrix_appservice_webhooks_version: v1.0.2-01 matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From 4377c348c56f4ee070265f5d4ace3c6ff0a9b471 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 17:46:47 +0200 Subject: [PATCH 164/202] matrix-bot-honoroit: disable self-build by default, update to v0.9.1 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3be4e6ac..cfd2e74b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: false ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 4e3628f9..0b868a94 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_version: v0.9.1 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From a83b880f72b290a5640e77b80852803d1120531d Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 18:49:41 +0200 Subject: [PATCH 165/202] matrix-bot-honoroit: feedback --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cfd2e74b..32b0d3a8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: false +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" ###################################################################### # From e72ecf2c650d12233734b84d2fffb671e0e30ec5 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Sun, 9 Jan 2022 10:50:44 +0800 Subject: [PATCH 166/202] update new variable for matrix-awx, update documentation --- docs/configuring-awx-system.md | 14 ++++------- roles/matrix-awx/tasks/main.yml | 4 ++-- roles/matrix-awx/tasks/rename_variables.yml | 8 ------- roles/matrix-awx/tasks/update_variables.yml | 26 +++++++++++++++++++++ 4 files changed, 32 insertions(+), 20 deletions(-) delete mode 100644 roles/matrix-awx/tasks/rename_variables.yml create mode 100644 roles/matrix-awx/tasks/update_variables.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f455f058..c33664c2 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -4,7 +4,7 @@ An AWX setup for managing multiple Matrix servers. This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. -Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. These playbooks are free to use in a commercial context with the 'MemberPress Plus' plugin. They can also be run in a non-commercial context. The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. @@ -21,12 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. - -## Testing Fork For This Playbook - -Updates to this section are trailed here: - -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) +[GMHosting External Tools](https://gitlab.com/GoMatrixHosting/gmhosting-external-tools) - Extra tools we run outside of AWX, some of which are experimental. ## Does I need an AWX setup to use this? How do I configure it? @@ -38,7 +33,6 @@ For simpler installation steps you can use to get started with this system, chec ## Does I need a front-end WordPress site? And a DigitalOcean account? -You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. - -You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. +You do not need a front-end WordPress site or the MemberPress plugin to use this setup. It can be run on it's own in a non-commercial context. +You also don't need a DigitalOcean account, although this will limit you to only being able to connect 'On-Premises' servers. diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index adc158c7..6ac39a49 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,9 +8,9 @@ tags: - always -# Renames the variables if needed +# Renames or updates the vars.yml if needed - include_tasks: - file: "rename_variables.yml" + file: "update_variables.yml" apply: tags: always when: run_setup|bool and matrix_awx_enabled|bool diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml deleted file mode 100644 index e664325f..00000000 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Rename synapse presence variable - delegate_to: 127.0.0.1 - replace: - path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" - regexp: 'matrix_synapse_use_presence' - replace: 'matrix_synapse_presence_enabled' diff --git a/roles/matrix-awx/tasks/update_variables.yml b/roles/matrix-awx/tasks/update_variables.yml new file mode 100644 index 00000000..9818a9c2 --- /dev/null +++ b/roles/matrix-awx/tasks/update_variables.yml @@ -0,0 +1,26 @@ +--- + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + +- name: Generate matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + command: | + openssl rand -hex 16 + register: generic_secret + no_log: True + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) + +- name: Add new matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_homeserver_generic_secret_key: {{ generic_secret.stdout }}" + insertbefore: '# Basic Settings End' + mode: '0600' + state: present + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) From ac6049516632a15dbff43c14c4e831d3c03ae6c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 08:40:18 +0200 Subject: [PATCH 167/202] Get rid of broken CI (ansible-lint) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1488 Discussed here: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1522#issuecomment-1008381512 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1524#issuecomment-1008477510 --- .github/workflows/ansible-lint.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 2f103ff7..00000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Ansible Lint - -on: [push, pull_request] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc - with: - # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) - targets: "./" - - override-deps: | - ansible-lint==5.3.1 - - args: "-x metadata, formatting" From 29bc22a085b5117442dcafc267fcc270e6ed6edd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 11:51:57 +0200 Subject: [PATCH 168/202] Add matrix_nginx_proxy_container_additional_networks Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 --- roles/matrix-nginx-proxy/defaults/main.yml | 9 +++++++++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 1feea6b7..8c57928f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -19,6 +19,15 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-nginx-proxy would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_nginx_proxy_container_additional_networks: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 744b3924..03bc32af 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,6 +47,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} +{% for network in matrix_nginx_proxy_container_additional_networks %} +ExecStartPost={{ matrix_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ matrix_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +{% endfor %} + ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload From ac515b7f0953fbe03ca72323289a8eb0076a7695 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 15:11:14 +0200 Subject: [PATCH 169/202] Fix incorrect variables being used --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index bc6331ac..1a9b2915 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -30,7 +30,7 @@ name: "{{ matrix_mautrix_signal_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" @@ -60,7 +60,7 @@ name: "{{ matrix_mautrix_signal_daemon_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" From ad00875a6db1a0af1862fe5b1c413e28b708664c Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Mon, 10 Jan 2022 16:21:39 +0100 Subject: [PATCH 170/202] Update configuring-playbook-dimension.md --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 69ed7aa7..b938a6a3 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -58,7 +58,7 @@ curl -X POST --header 'Content-Type: application/json' -d '{ "type": "m.login.password" }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -*Change the "YourDimensionUser/Pass" URL accordigly* +*Change `YourDimensionUsername`, `YourDimensionPassword`, and `YOURDOMAIN` accordingly.* **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** From 0fb881deb578a37ba9c3fcfc966a2282aa33d3fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Jan 2022 08:29:11 +0200 Subject: [PATCH 171/202] Update the "wanted systemd services" list for matrix-nginx-proxy/matrix-grafana Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1517 --- group_vars/matrix_servers | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 32b0d3a8..af84d5d9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1467,7 +1467,21 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + + (['matrix-client-element.service'] if matrix_client_element_enabled else []) + + + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + + + (['matrix-grafana.service'] if matrix_grafana_enabled else []) + + + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + + + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | @@ -2129,6 +2143,12 @@ matrix_grafana_dashboard_download_urls_all: | (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) }} +matrix_grafana_systemd_wanted_services_list: | + {{ + [] + + + (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + }} ###################################################################### # From 037bde73a65af2e097d4c470b82d1ed064398b02 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 14 Jan 2022 11:53:03 +0200 Subject: [PATCH 172/202] Upgrade Heisenbridge (1.9.0 -> 1.10.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 5d393a81..6772c364 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.9.0 +matrix_heisenbridge_version: 1.10.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 49342bd3a7b72937f97d01bb70d7d14582437cac Mon Sep 17 00:00:00 2001 From: IUCCA <33322841+IUCCA@users.noreply.github.com> Date: Fri, 14 Jan 2022 11:29:18 +0100 Subject: [PATCH 173/202] added writable /tmp directory --- .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index 244e2a48..0d3eb9b8 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -26,6 +26,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --tmpfs /tmp \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From 02c1756135403733410222f32adbaa6061da8e27 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 14 Jan 2022 19:31:30 +0000 Subject: [PATCH 174/202] Upgrade Hydrogen (0.2.19 -> 0.2.23) --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- roles/matrix-client-hydrogen/tasks/setup_install.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 4ca2224b..61db1ba2 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.19 +matrix_client_hydrogen_version: v0.2.23 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-hydrogen/tasks/setup_install.yml b/roles/matrix-client-hydrogen/tasks/setup_install.yml index b512a1a8..2f949927 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure Hydrogen configuration installed copy: content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/src/platform/web/assets/config.json" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From cba605a8b7a4aab6706e6167119d3394cba49256 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 15 Jan 2022 09:06:10 +0200 Subject: [PATCH 175/202] Fix go-neb sample configuration to not clash with Jinja2 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1544 --- docs/configuring-playbook-bot-go-neb.md | 4 ++-- roles/matrix-bot-go-neb/defaults/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index ab84e017..33ce4dd3 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -198,8 +198,8 @@ matrix_bot_go_neb_services: # Each room will get the notification with the alert rendered with the given template rooms: "!someroomid:domain.tld": - text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" - html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" + text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" + html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" msg_type: "m.text" # Must be either `m.text` or `m.notice` ``` diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 4dd4f1f6..c5a1f636 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -203,8 +203,8 @@ matrix_bot_go_neb_services: [] # # Each room will get the notification with the alert rendered with the given template # rooms: # "!someroomid:domain.tld": -# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" -# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" +# html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" # msg_type: "m.text" # Must be either `m.text` or `m.notice` # Default configuration template which covers the generic use case. From b0b88242f2a35b81bf388569f5a075baab42bd36 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:31:07 +0100 Subject: [PATCH 176/202] Updated: ddclient to v3.9.1-ls76 --- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 3411d0f8..2be1a5ba 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -4,7 +4,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.9.1-ls45 +matrix_dynamic_dns_version: v3.9.1-ls76 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From be4c93dc2425cc8c96d8cc35c971144555dd2543 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:33:44 +0100 Subject: [PATCH 177/202] Updated: version to stable-6726-2 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 33dad388..a36a09fc 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -68,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6726-1 +matrix_jitsi_version: stable-6726-2 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 7dffd4417126d20571c8809d3fb3295f9d2af245 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:36:10 +0100 Subject: [PATCH 178/202] Updated: webhooks image tag to v1.0.3-01 --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 32b0cbba..f987c087 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/ matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: v1.0.2-01 +matrix_appservice_webhooks_version: v1.0.3-01 matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From dcbd0a598e6a194b3b1630b8fb433adbfab844af Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:40:28 +0100 Subject: [PATCH 179/202] Updated: beeper-linkedin to v0.5.2 --- roles/matrix-bridge-beeper-linkedin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 87561ff5..34c9c3cb 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -3,7 +3,7 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.1 +matrix_beeper_linkedin_version: v0.5.2 # See: https://gitlab.com/beeper/linkedin/container_registry matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" From 6bdb599a589353ce54e6e5de30dd439f34a481c6 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:45:23 +0100 Subject: [PATCH 180/202] Updated: sygnal to v0.11.0 --- roles/matrix-sygnal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 70d530f8..595f8022 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -7,7 +7,7 @@ matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.10.1 +matrix_sygnal_version: v0.11.0 matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" From f2f4d5ba2194c1aee9d796aa27c112897f125101 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:49:30 +0100 Subject: [PATCH 181/202] Updated: node-exporter to v1.3.1 --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 481864d3..2ec0d23c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.2.2 +matrix_prometheus_node_exporter_version: v1.3.1 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" From dec1bd6c653c5cdbf851f156f0412d3effe98581 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:59:18 +0100 Subject: [PATCH 182/202] Updated: slack to 1.10.0 --- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 0a578b41..b1c98d2a 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_version: release-1.8.0 +matrix_appservice_slack_version: release-1.10.0 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index bf8072c1..96e68967 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -5,9 +5,9 @@ bot_username: "{{ matrix_appservice_slack_bot_name }}" username_prefix: {{ matrix_appservice_slack_user_prefix }} homeserver: - media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" - url: "{{ matrix_appservice_slack_homeserver_url }}" server_name: "{{ matrix_domain }}" + url: "{{ matrix_appservice_slack_homeserver_url }}" + media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" {% if matrix_appservice_slack_database_engine == 'nedb' %} dbdir: "/data" From 8f0da16621df3769f61e5ae23ab0f192383e7b6f Mon Sep 17 00:00:00 2001 From: Felix Date: Sun, 16 Jan 2022 16:00:54 +0100 Subject: [PATCH 183/202] Added: version tag (v0.1.2 --- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index e1a1bdda..a3783328 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" -matrix_mautrix_instagram_version: latest +matrix_mautrix_instagram_version: v0.1.2 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 05541bd54aba8dd71609ed7d927a406763843739 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 16 Jan 2022 18:41:02 +0200 Subject: [PATCH 184/202] Updated Honoroit with fallback reply-to mode --- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 0b868a94..426aa372 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.1 +matrix_bot_honoroit_version: v0.9.2 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From 29668f4a3341bbbce189cec9673b52752d37c3d6 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sun, 16 Jan 2022 22:41:01 +0100 Subject: [PATCH 185/202] Updated: telegram to v0.11.1 --- .../matrix-bridge-mautrix-telegram/defaults/main.yml | 4 ++-- .../templates/config.yaml.j2 | 11 ----------- .../systemd/matrix-mautrix-telegram.service.j2 | 9 --------- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 7e7ee0a6..bcdcfdd8 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -7,13 +7,13 @@ matrix_telegram_lottieconverter_container_image_self_build: false matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.15" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.2 +matrix_mautrix_telegram_version: v0.11.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 9492d79e..94694351 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -225,17 +225,6 @@ bridge: # notices from users listed here will be bridged. exceptions: [] - # Some config options related to Telegram message deduplication. - # The default values are usually fine, but some debug messages/warnings might recommend you - # change these. - deduplication: - # Whether or not to check the database if the message about to be sent is a duplicate. - pre_db_check: false - # The number of latest events to keep when checking for duplicates. - # You might need to increase this on high-traffic bridge instances. - cache_queue_length: 20 - - # The formats to use when sending messages to Telegram via the relay bot. # # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 69ab167a..3f5cbd00 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -15,15 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' -ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_telegram_config_path }}:/config:z \ - -v {{ matrix_mautrix_telegram_data_path }}:/data:z \ - {{ matrix_mautrix_telegram_docker_image }} \ - alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 From 6f142faf85f2030e09317cff70febd02f2df6beb Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 09:55:00 +0100 Subject: [PATCH 186/202] Added: mautrix-signal 0.2.2 & signald 0.16.1 --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 9eebedd7..ceaa9b87 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -7,8 +7,8 @@ matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: latest -matrix_mautrix_signal_daemon_version: latest +matrix_mautrix_signal_version: v0.2.2 +matrix_mautrix_signal_daemon_version: 0.16.1 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" From 46f621bca60542d37ef44299d9930b434cb4f245 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 09:58:16 +0100 Subject: [PATCH 187/202] Added: mautrix-whatsapp v0.2.3 tag --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 81c451cf..aaa1f04a 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: latest +matrix_mautrix_whatsapp_version: v0.2.3 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 94d31eefd37ab35efedd7eaa6fe902d33d5dc110 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:02:16 +0100 Subject: [PATCH 188/202] Updated: mautrix-twitter to v0.1.3 --- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 826bc4b6..6a72706b 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_twitter_enabled: true matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" -matrix_mautrix_twitter_version: latest +matrix_mautrix_twitter_version: v0.1.3 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" From 8a66db850ea2898f409921147970b6c645f9f166 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:53:15 +0100 Subject: [PATCH 189/202] Updated: Certbot to v1.22.0 --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8c57928f..a14a6785 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -476,7 +476,7 @@ matrix_ssl_lets_encrypt_staging: false # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.22.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From b608c3d342c15a9e9946453870595c40e1b55db2 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:55:36 +0100 Subject: [PATCH 190/202] Updated: worker_processes to auto --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a14a6785..6932c8c0 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -555,5 +555,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: [] # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 From 3614903e38edbb86decd13d1eec0aef33f1d934a Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 18:40:44 +0100 Subject: [PATCH 191/202] Updated: element-web to v1.9.9 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 7853292a..15f401dd 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.8 +matrix_client_element_version: v1.9.9 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 5f22371c23f2f638b7a2dd03c0a36196d33a3777 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jan 2022 16:15:52 +0200 Subject: [PATCH 192/202] Upgrade Synapse (1.49.2 -> 1.50.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ce5235d3..91f5461c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.2 -matrix_synapse_version_arm64: v1.49.2 +matrix_synapse_version: v1.50.0 +matrix_synapse_version_arm64: v1.50.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 5d7502fd..902aaa71 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -12,7 +12,7 @@ # Server admins can expand Synapse's functionality with external modules. # -# See https://matrix-org.github.io/synapse/develop/modules.html for more +# See https://matrix-org.github.io/synapse/latest/modules/index.html for more # documentation on how to configure or create custom modules for Synapse. # modules: @@ -1519,6 +1519,7 @@ room_prejoin_state: # - m.room.encryption # - m.room.name # - m.room.create + # - m.room.topic # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. From 4cd44f117dcc8cd627833148d6a7af657b2452ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jan 2022 20:45:12 +0200 Subject: [PATCH 193/202] Upgrade Synapse (1.50.0 -> 1.50.1) v1.50.0 was found to be buggy for people using a `webclient` listener. This is fixed in v1.50.1. We don't use such a listener, so we weren't affected anyway. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 91f5461c..a8e93448 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.50.0 -matrix_synapse_version_arm64: v1.50.0 +matrix_synapse_version: v1.50.1 +matrix_synapse_version_arm64: v1.50.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From ff94d815e1a259565174c37566a5687777eebad9 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 19 Jan 2022 14:35:55 +0000 Subject: [PATCH 194/202] Upgrade synapse-simple-antispam (0.0.3 -> 0.0.7) --- roles/matrix-synapse/defaults/main.yml | 4 +++- .../tasks/ext/synapse-simple-antispam/setup_install.yml | 4 ++-- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 91f5461c..bca58b01 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -517,7 +517,7 @@ matrix_synapse_ext_password_provider_ldap_default_domain: "" # See: https://github.com/t2bot/synapse-simple-antispam matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" -matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" +matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "5ab711971e3a4541a7a40310ff85e17f8262cc05" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] # Enable this to activate the Mjolnir Antispam spam-checker module. @@ -580,6 +580,8 @@ matrix_synapse_default_room_version: "6" # If not, you can also control its value manually. matrix_synapse_spam_checker: [] +matrix_synapse_modules: [] + matrix_synapse_encryption_enabled_by_default_for_room_type: off matrix_synapse_trusted_key_servers: diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 2599e7f1..706cc588 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -38,8 +38,8 @@ become_user: "{{ matrix_user_username }}" - set_fact: - matrix_synapse_spam_checker: > - {{ matrix_synapse_spam_checker }} + matrix_synapse_modules: > + {{ matrix_synapse_modules }} + [{ "module": "synapse_simple_antispam.AntiSpamInvites", diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 902aaa71..fccb1a25 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -15,12 +15,13 @@ # See https://matrix-org.github.io/synapse/latest/modules/index.html for more # documentation on how to configure or create custom modules for Synapse. # -modules: +#modules: # - module: my_super_module.MySuperClass # config: # do_thing: true # - module: my_other_super_module.SomeClass # config: {} +modules: {{ matrix_synapse_modules|to_json }} ## Server ## From 51b27de1bb0f76904d1bcb67613273d3a003188c Mon Sep 17 00:00:00 2001 From: Aine Date: Wed, 19 Jan 2022 18:33:51 +0200 Subject: [PATCH 195/202] matrix-bot-honoroit: bugfix commands in reply-to mode, add custom prefixes for thread topics --- roles/matrix-bot-honoroit/defaults/main.yml | 8 +++++++- roles/matrix-bot-honoroit/templates/env.j2 | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 426aa372..a9ea993f 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.2 +matrix_bot_honoroit_version: v0.9.3 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" @@ -83,6 +83,12 @@ matrix_bot_honoroit_sentry: '' # Log level matrix_bot_honoroit_loglevel: '' +# Text prefix: open +matrix_bot_honoroit_text_prefix_open: '' + +# Text prefix: done +matrix_bot_honoroit_text_prefix_done: '' + # Text: greetings matrix_bot_honoroit_text_greetings: '' diff --git a/roles/matrix-bot-honoroit/templates/env.j2 b/roles/matrix-bot-honoroit/templates/env.j2 index 4b1dd43f..fdd9b13d 100644 --- a/roles/matrix-bot-honoroit/templates/env.j2 +++ b/roles/matrix-bot-honoroit/templates/env.j2 @@ -7,6 +7,8 @@ HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} +HONOROIT_TEXT_PREFIX_OPEN={{ matrix_bot_honoroit_text_prefix_open }} +HONOROIT_TEXT_PREFIX_DONE={{ matrix_bot_honoroit_text_prefix_done }} HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} From 3aa8c1f62c103149057806e3671fb1da525b3a53 Mon Sep 17 00:00:00 2001 From: Wm Salt Hale Date: Wed, 19 Jan 2022 21:58:39 -0800 Subject: [PATCH 196/202] only enable openssl if necessary --- .../tasks/util/ensure_openssl_installed.yml | 23 +++++++++++++++++ .../tasks/setup_install.yml | 2 ++ roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 2 ++ .../tasks/ssl/setup_ssl_self_signed.yml | 25 ++----------------- 4 files changed, 29 insertions(+), 23 deletions(-) create mode 100644 roles/matrix-base/tasks/util/ensure_openssl_installed.yml diff --git a/roles/matrix-base/tasks/util/ensure_openssl_installed.yml b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml new file mode 100644 index 00000000..c0839657 --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure openssl installed (CentOS) + yum: + name: + - openssl + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure fuse installed (Debian/Raspbian) + apt: + name: + - openssl + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure fuse installed (Archlinux) + pacman: + name: + - openssl + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 20714a41..63ee6621 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + - name: Ensure Appservice IRC paths exist file: path: "{{ item.path }}" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml index 408027ee..86e37212 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + # # Tasks related to setting up jitsi # diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 8fa316da..47ec40aa 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -1,28 +1,7 @@ --- -- name: Ensure OpenSSL installed (RedHat) - yum: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'" - -- name: Ensure APT usage dependencies are installed (Debian) - apt: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - -- name: Ensure OpenSSL installed (Archlinux) - pacman: - name: - - openssl - state: latest - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'" +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml" + when: "matrix_ssl_retrieval_method == 'self-signed'" - name: Generate self-signed certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" From 88b832a8185ada6cc16da38d41d29c74ed9bce85 Mon Sep 17 00:00:00 2001 From: Wm Salt Hale Date: Wed, 19 Jan 2022 22:02:20 -0800 Subject: [PATCH 197/202] updated task names leftover from template used --- roles/matrix-base/tasks/util/ensure_openssl_installed.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/tasks/util/ensure_openssl_installed.yml b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml index c0839657..39442bca 100644 --- a/roles/matrix-base/tasks/util/ensure_openssl_installed.yml +++ b/roles/matrix-base/tasks/util/ensure_openssl_installed.yml @@ -8,14 +8,14 @@ when: ansible_distribution == 'CentOS' # This is for both Debian and Raspbian -- name: Ensure fuse installed (Debian/Raspbian) +- name: Ensure openssl installed (Debian/Raspbian) apt: name: - openssl state: latest when: ansible_os_family == 'Debian' -- name: Ensure fuse installed (Archlinux) +- name: Ensure openssl installed (Archlinux) pacman: name: - openssl From c6287083e452cb8cd4cbf68226bee7bbbc2e1406 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Thu, 20 Jan 2022 10:57:39 +0100 Subject: [PATCH 198/202] Updated: prom-postgres-exporter to v0.10.1 --- roles/matrix-prometheus-postgres-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml index 0857d3e7..338f58d3 100644 --- a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_version: v0.10.0 +matrix_prometheus_postgres_exporter_version: v0.10.1 matrix_prometheus_postgres_exporter_port: 9187 matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" From a9dd397771e56c8522e795f801d9bb58026cd222 Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Sat, 22 Jan 2022 18:59:16 +0100 Subject: [PATCH 199/202] add etherpad to nginx wanted services it's required if enabled by the dimension config here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/6eb8fb83925af055483ca797e31b5d803135e61f/roles/matrix-etherpad/tasks/init.yml#L42-L49 see also #1517 --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index af84d5d9..53a3b7de 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1482,6 +1482,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + + + (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | From 44ae8d3b926f91e4fef22bca94c542b468dcfd96 Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Sun, 23 Jan 2022 14:28:11 +0100 Subject: [PATCH 200/202] refine etherpad in nginx wanted services condition --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 53a3b7de..835b9245 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1483,7 +1483,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + (['matrix-etherpad.service'] if matrix_etherpad_enabled and matrix_dimension_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | From b02aa4b7997ec24add81551bcdba257cfcccecc0 Mon Sep 17 00:00:00 2001 From: Thracky Date: Sun, 23 Jan 2022 14:09:18 -0500 Subject: [PATCH 201/202] Add missing slash in url scheme for mediaUrl --- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index cd9c1477..23d4ebf4 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,7 +27,7 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' -matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}" +matrix_mx_puppet_discord_bridge_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver From f59f903c0440c6d055b5cf1fc558662f1d3d0296 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Mon, 24 Jan 2022 14:47:41 +0100 Subject: [PATCH 202/202] Update Synapse from 1.50.1 to 1.50.2 Fixes a issue with room version 1. Merging has to wait until ARM images are built ofc. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 87088001..084d821f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.50.1 -matrix_synapse_version_arm64: v1.50.1 +matrix_synapse_version: v1.50.2 +matrix_synapse_version_arm64: v1.50.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"