jowj
/
matrix-docker-ansible-deploy
forked from mirrors/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
master
josiah 2 years ago
parent 895c1e32f1 e074f9d4ed
commit 9041c255ad
588 changed files with 8305 additions and 5879 deletions
Show Stats Download Patch File Download Diff File

1
.github/FUNDING.yml vendored
Unescape View File

@ -1,3 +1,4 @@
---
# These are supported funding model platforms
# https://liberapay.com/s.pantaleev/

57
.github/ISSUE_TEMPLATE/bug_report.md vendored
Unescape View File

@ -0,0 +1,57 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
<!--
NOTE: This Ansible playbook installs tens of separate services. If you're having a problem with a specific service, it is likely that the problem is not with our deployment method, but with the service itself. You may wish to report that problem at the source, upstream, and not to us
-->
**To Reproduce**
My `vars.yml` file looks like this:
```yaml
Paste your vars.yml file here.
Make sure to remove any secret values before posting your vars.yml file publicly.
```
<!-- Below this line, tell us what you're doing to reproduce the problem. -->
**Expected behavior**
A clear and concise description of what you expected to happen.
**Matrix Server:**
- OS: [e.g. Ubuntu 21.04]
- Architecture [e.g. amd64, arm32, arm64]
**Ansible:**
If your problem appears to be with Ansible, tell us:
- where you run Ansible -- e.g. on the Matrix server itself; on another computer (which OS? distro? standard installation or containerized Ansible?)
- what version of Ansible you're running (see `ansible --version`)
<!--
The above is only applicable if you're hitting a problem with Ansible itself.
We don't need this information in most cases. Delete this section if not applicable.
-->
**Client:**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
<!--
The above is only applicable if you're hitting a problem with a specific device, but not with others.
We don't need this information in most cases. Delete this section if not applicable.
-->
**Additional context**
Add any other context about the problem here.

28
.github/ISSUE_TEMPLATE/feature_request.md vendored
Unescape View File

@ -0,0 +1,28 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
<!--
NOTE: When submitting feature requests, be aware that:
- This Ansible playbook installs tens of separate services. If you're having a problem with a specific service or you'd like some functionality added to it, it is likely that the problem is not with our deployment method, but with the service itself. You may wish to report that problem at the source, upstream, and not to us.
- This is a community project with no financial backing. The easiest way to get a feature into this project is to just develop it yourself.
-->
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

49
.github/ISSUE_TEMPLATE/i-need-help.md vendored
Unescape View File

@ -0,0 +1,49 @@
---
name: I need help
about: Get support from our community
title: ''
labels: ''
assignees: ''
---
<!--
NOTE: you can usually get more timely support and from more people by joining our Matrix room (also bridged to IRC). See the [Support section of our README](https://github.com/spantaleev/matrix-docker-ansible-deploy#support)
-->
**Playbook Configuration**:
My `vars.yml` file looks like this:
```yaml
Paste your vars.yml file here.
Make sure to remove any secret values before posting your vars.yml file publicly.
```
**Matrix Server:**
- OS: [e.g. Ubuntu 21.04]
- Architecture [e.g. amd64, arm32, arm64]
**Ansible:**
If your problem appears to be with Ansible, tell us:
- where you run Ansible -- e.g. on the Matrix server itself; on another computer (which OS? distro? standard installation or containerized Ansible?)
- what version of Ansible you're running (see `ansible --version`)
**Problem description**:
Describe what you're doing, what you expect to happen and what happens instead here.
Tell us what you've tried and what you're aiming to achieve.
**Client (please complete the following information):**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
<!--
The above is only applicable if you're hitting a problem with a specific device, but not with others.
We don't need this information in most cases. Delete this section if not applicable.
-->
**Additional context**
Add any other context about the problem here.

7
.github/dependabot.yaml vendored
Unescape View File

@ -0,0 +1,7 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: daily

16
.github/workflows/matrix.yml vendored
Unescape View File

@ -0,0 +1,16 @@
---
name: Matrix CI
on: # yamllint disable-line rule:truthy
push:
pull_request:
jobs:
yamllint:
name: 🧹 yamllint
runs-on: ubuntu-latest
steps:
- name: ⤵️ Check out configuration from GitHub
uses: actions/checkout@v3
- name: 🚀 Run yamllint
uses: frenck/action-yamllint@v1.1.2

8
.yamllint
Unescape View File

@ -0,0 +1,8 @@
---
extends: default
ignore: |
roles/matrix-synapse/vars/workers.yml
rules:
line-length: disable

192
CHANGELOG.md
Unescape View File

@ -1,3 +1,195 @@
# 2022-07-05
## Ntfy push notifications support
Thanks to [Julian Foad](https://matrix.to/#/@julian:foad.me.uk), the playbook can now install a [ntfy](https://ntfy.sh/) push notifications server for you.
See our [Setting up the ntfy push notifications server](docs/configuring-playbook-ntfy.md) documentation to get started.
# 2022-06-23
## (Potential Backward Compatibility Break) Changes around metrics collection
**TLDR**: we've made extensive **changes to metrics exposure/collection, which concern people using an external Prometheus server**. If you don't know what that is, you don't need to read below.
**Why do major changes to metrics**? Because various services were exposing metrics in different, hacky, ways. Synapse was exposing metrics at `/_synapse/metrics` and `/_synapse-worker-.../metrics` on the `matrix.DOMAIN`. The Hookshot role was **repurposing** the Granana web UI domain (`stats.DOMAIN`) for exposing its metrics on `stats.DOMAIN/hookshot/metrics`, while protecting these routes using Basic Authentication **normally used for Synapse** (`/_synapse/metrics`). Node-exporter and Postgres-exporter roles were advising for more `stats.DOMAIN` usage in manual ways. Each role was doing things differently and mixing variables from other roles. Each metrics endpoint was ending up in a different place, protected by who knows what Basic Authentication credentials (if protected at all).
**The solution**: a completely revamped way to expose metrics to an external Prometheus server. We are **introducing new `https://matrix.DOMAIN/metrics/*` endpoints**, where various services *can* expose their metrics, for collection by external Prometheus servers. To enable the `/metrics/*` endpoints, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. There's also a way to protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). See the `matrix-nginx-proxy` role or our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation for additional variables around `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
**If you are using the [Hookshot bridge](docs/configuring-playbook-bridge-hookshot.md)**, you may find that:
1. **Metrics may not be enabled by default anymore**:
- If Prometheus is enabled (`matrix_prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network.
- **If Prometheus is not enabled** (you are either not using Prometheus or are using an external one), **Hookshot metrics will not be enabled by default anymore**. Feel free to enable them by setting `matrix_hookshot_metrics_enabled: true`. Also, see below.
2. When metrics are meant to be **consumed by an external Prometheus server**, `matrix_hookshot_metrics_proxying_enabled` needs to be set to `true`, so that metrics would be exposed (proxied) "publicly" on `https://matrix.DOMAIN/metrics/hookshot`. To make use of this, you'll also need to enable the new `https://matrix.DOMAIN/metrics/*` endpoints mentioned above, using `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. Learn more in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation.
3. **We've changed the URL we're exposing Hookshot metrics at** for external Prometheus servers. Until now, you were advised to consume Hookshot metrics from `https://stats.DOMAIN/hookshot/metrics` (working in conjunction with `matrix_nginx_proxy_proxy_synapse_metrics`). From now on, **this no longer works**. As described above, you need to start consuming metrics from `https://matrix.DOMAIN/metrics/hookshot`.
**If you're using node-exporter** (`matrix_prometheus_node_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_node_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/node-exporter`.
**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`matrix_prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`.
**If you're using Synapse** and would like to collect its metrics from an external Prometheus server, you may find that:
1. Exposing metrics is now done using `matrix_synapse_metrics_proxying_enabled`, not `matrix_nginx_proxy_proxy_synapse_metrics: true`. You may still need to enable metrics using `matrix_synapse_metrics_enabled: true` before exposing them.
2. Protecting metrics endpoints using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) is now done in another way. See our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation
3. If Synapse metrics are exposed, they will be made available at `https://matrix.DOMAIN/metrics/synapse/main-process` or `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (when workers are enabled), not at `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-.../metrics`
4. The playbook still generates an `external_prometheus.yml.example` sample file for scraping Synapse from Prometheus as described in [Collecting Synapse worker metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-synapse-worker-metrics-to-an-external-prometheus-server), but it's now saved under `/matrix/synapse` (not `/matrix`).
**If you where already using a external Prometheus server** before this change, and you gave a hashed version of the password as a variable, the playbook will now take care of hashing the password for you. Thus, you need to provide the non-hashed version now.
# 2022-06-13
## go-skype-bridge bridging support
Thanks to [CyberShadow](https://github.com/CyberShadow), the playbook can now install the [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) bridge for bridging Matrix to [Skype](https://www.skype.com/).
See our [Setting up Go Skype Bridge](docs/configuring-playbook-bridge-go-skype-bridge.md) documentation to get started.
The playbook has supported [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridging (see [Setting up MX Puppet Skype bridging](docs/configuring-playbook-bridge-mx-puppet-skype.md)) since [2020-04-09](#2020-04-09), but `mx-puppet-skype` is reportedly broken.
# 2022-06-09
## Running Ansible in a container can now happen on the Matrix server itself
If you're tired of being on an old and problematic Ansible version, you can now run [run Ansible in a container on the Matrix server itself](docs/ansible.md#running-ansible-in-a-container-on-the-matrix-server-itself).
# 2022-05-31
## Synapse v1.60 upgrade may cause trouble and require manual intervention
Synapse v1.60 will try to add a new unique index to `state_group_edges` upon startup and could fail if your database is corrupted.
We haven't observed this problem yet, but [the Synapse v1.60.0 upgrade notes](https://github.com/matrix-org/synapse/blob/v1.60.0/docs/upgrade.md#adding-a-new-unique-index-to-state_group_edges-could-fail-if-your-database-is-corrupted) mention it, so we're giving you a heads up here in case you're unlucky.
**If Synapse fails to start** after your next playbook run, you'll need to:
- SSH into the Matrix server
- launch `/usr/local/bin/matrix-postgres-cli`
- switch to the `synapse` database: `\c synapse`
- run the following SQL query:
```sql
BEGIN;
DELETE FROM state_group_edges WHERE (ctid, state_group, prev_state_group) IN (
SELECT row_id, state_group, prev_state_group
FROM (
SELECT
ctid AS row_id,
MIN(ctid) OVER (PARTITION BY state_group, prev_state_group) AS min_row_id,
state_group,
prev_state_group
FROM state_group_edges
) AS t1
WHERE row_id <> min_row_id
);
COMMIT;
```
You could then restart services: `ansible-playbook -i inventory/hosts setup.yml --tags=start`
# 2022-04-25
## buscarron bot support
Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up [the Buscarron bot](https://gitlab.com/etke.cc/buscarron). It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room
See our [Setting up Buscarron](docs/configuring-playbook-bot-buscarron.md) documentation to get started.
# 2022-04-21
## matrix-registration-bot support
Thanks to [Julian-Samuel Gebühr (@moan0s)](https://github.com/moan0s), the playbook can now help you set up [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) - a bot that is used to create and manage registration tokens for a Matrix server.
See our [Setting up matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) documentation to get started.
# 2022-04-19
## Borg backup support
Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up [Borg](https://www.borgbackup.org/) backups with [borgmatic](https://torsion.org/borgmatic/) of your Matrix server.
See our [Setting up borg backup](docs/configuring-playbook-backup-borg.md) documentation to get started.
## (Compatibility Break) Upgrading to Synapse v1.57 on setups using workers may require manual action
If you're running a worker setup for Synapse (`matrix_synapse_workers_enabled: true`), the [Synapse v1.57 upgrade notes](https://github.com/matrix-org/synapse/blob/v1.57.0rc1/docs/upgrade.md#changes-to-database-schema-for-application-services) say that you may need to take special care when upgrading:
> Synapse v1.57.0 includes a change to the way transaction IDs are managed for application services. If your deployment uses a dedicated worker for application service traffic, **it must be stopped** when the database is upgraded (which normally happens when the main process is upgraded), to ensure the change is made safely without any risk of reusing transaction IDs.
If you're not running an `appservice` worker (`matrix_synapse_workers_preset: little-federation-helper` or `matrix_synapse_workers_appservice_workers_count: 0`), you are probably safe to upgrade as per normal, without taking any special care.
If you are running a setup with an `appservice` worker, or otherwise want to be on the safe side, we recommend the following upgrade path:
0. Pull the latest playbook changes
1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`)
2. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all`)
3. Start Postgres (`systemctl start matrix-postgres` on the server)
4. Start the main Synapse process (`systemctl start matrix-synapse` on the server)
5. Wait a while so that Synapse can start and complete the database migrations. You can use `journalctl -fu matrix-synapse` on the server to get a clue. Waiting a few minutes should also be enough.
6. It should now be safe to start all other services. `ansible-playbook -i inventory/hosts setup.yml --tags=start` will do it for you
# 2022-04-14
## (Compatibility Break) Changes to `docker-src` permissions necessitating manual action
Users who build container images from source will need to manually correct file permissions of some directories on the server.
When self-building, the playbook used to `git clone` repositories (into `/matrix/SERVICE/docker-src`) using the `root` user, but now uses `matrix` instead to work around [the following issue with git 2.35.2](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1749).
If you're on a non-`amd64` architecture (that is, you're overriding `matrix_architecture` in your `vars.yml` file) or you have enabled self-building for some service (e.g. `matrix_*_self_build: true`), you're certainly building some container images from source and have `docker-src` directories with mixed permissions lying around in various `/matrix/SERVICE` directories.
The playbook *could* correct these permissions automatically, but that requires additional Ansible tasks in some ~45 different places - something that takes considerable effort. So we ask users observing errors related to `docker-src` directories to correct the problem manually by **running this command on the Matrix server** (which deletes all `/matrix/*/docker-src` directories): `find /matrix -maxdepth 2 -name 'docker-src' | xargs rm -rf`
# 2022-03-17
## (Compatibility Break) ma1sd identity server no longer installed by default
The playbook no longer installs the [ma1sd](https://github.com/ma1uta/ma1sd) identity server by default. The next time you run the playbook, ma1sd will be uninstalled from your server, unless you explicitly enable the ma1sd service (see how below).
The main reason we used to install ma1sd by default in the past was to prevent Element from talking to the `matrix.org` / `vector.im` identity servers, by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead, thus preventing contact list leaks.
Since Element no longer defaults to using a public identity server if another one is not provided, we can stop installing ma1sd.
If you need to install the ma1sd identity server for some reason, you can explicitly enable it by adding this to your `vars.yml` file:
```yaml
matrix_ma1sd_enabled: true
```
# 2022-02-12
## matrix_encryption_disabler support
We now support installing the [matrix_encryption_disabler](https://github.com/digitalentity/matrix_encryption_disabler) Synapse module, which lets you prevent End-to-End-Encryption from being enabled by users on your homeserver. The popular opinion is that this is dangerous and shouldn't be done, but there are valid use cases for disabling encryption discussed [here](https://github.com/matrix-org/synapse/issues/4401).
To enable this module (and prevent encryption from being used on your homserver), add `matrix_synapse_ext_encryption_disabler_enabled: true` to your configuration. This module provides further customization. Check its other configuration settings (and defaults) in `roles/matrix-synapse/defaults/main.yml`.
# 2022-02-01
## matrix-hookshot bridging support
Thanks to [HarHarLinks](https://github.com/HarHarLinks), the playbook can now install the [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) bridge for bridging Matrix to multiple project management services, such as GitHub, GitLab and JIRA.
See our [Setting up matrix-hookshot](docs/configuring-playbook-bridge-hookshot.md) documentation to get started.
# 2022-01-31
## ARM support for matrix-corporal
[matrix-corporal](https://github.com/devture/matrix-corporal) (as of version `2.2.3`) is now published to Docker Hub (see [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal)) as a multi-arch container image with support for all these platforms: `linux/amd64`, `linux/arm64/v8` and `linux/arm/v7`. The playbook no longer resorts to self-building matrix-corporal on these ARM architectures.
# 2022-01-07
## Dendrite support

12
README.md
Unescape View File

@ -31,7 +31,7 @@ Using this playbook, you can get the following services configured on your serve
- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
- (optional) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
@ -73,12 +73,16 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.)
- (optional) the [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular
- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation
- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation
- (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation
- (optional) the [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-go-skype-bridge.md](docs/configuring-playbook-bridge-go-skype-bridge.md) for setup documentation
- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation
- (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation
@ -119,6 +123,10 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation
- (optional) the [Borg](https://borgbackup.org) backup - see [docs/configuring-playbook-backup-borg.md](docs/configuring-playbook-backup-borg.md) for setup documentation
- (optional) the [Buscarron](https://gitlab.com/etke.cc/buscarron) bot - see [docs/configuring-playbook-bot-buscarron.md](docs/configuring-playbook-bot-buscarron.md) for setup documentation
Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
@ -150,5 +158,3 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
## Services by the community
- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain
- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com).

2
collections/requirements.yml
Unescape View File

@ -1,4 +1,4 @@
---
collections:
- name: community.general
- name: community.docker
- name: community.docker

4
docs/alternative-architectures.md
Unescape View File

@ -2,7 +2,7 @@
As stated in the [Prerequisites](prerequisites.md), currently only `x86_64` is fully supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used.
To that end add the following variable to your `vars.yaml` file:
To that end add the following variable to your `vars.yml` file (see [Configuring playbook](configuring-playbook.md)):
```yaml
matrix_architecture: <your-matrix-server-architecture>
@ -13,7 +13,7 @@ Currently supported architectures are the following:
- `arm64`
- `arm32`
so for the Raspberry Pi, the following should be in your `vars.yaml` file:
so for the Raspberry Pi, the following should be in your `vars.yml` file:
```yaml
matrix_architecture: "arm32"

53
docs/ansible.md
Unescape View File

@ -30,7 +30,7 @@ Depending on your distribution, you may be able to upgrade Ansible in a few diff
- by using an additional repository (PPA, etc.), which provides newer Ansible versions. See instructions for [CentOS](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-rhel-centos-or-fedora), [Debian](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian), or [Ubuntu](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu) on the Ansible website.
- by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`).
- by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installation/) (`pip install ansible`).
If using the `pip` method, do note that the `ansible-playbook` binary may not be on the `$PATH` (https://linuxconfig.org/linux-path-environment-variable), but in some more special location like `/usr/local/bin/ansible-playbook`. You may need to invoke it using the full path.
@ -41,9 +41,50 @@ If you find yourself needing to resort to such hacks, please consider reporting
## Using Ansible via Docker
Alternatively, you can run Ansible on your computer from inside a Docker container (powered by the [devture/ansible](https://hub.docker.com/r/devture/ansible/) Docker image).
Alternatively, you can run Ansible inside a Docker container (powered by the [devture/ansible](https://hub.docker.com/r/devture/ansible/) Docker image).
Here's a sample command to get you started (run this from the playbook's directory):
This ensures that you're using a very recent Ansible version, which is less likely to be incompatible with the playbook.
There are 2 ways to go about it:
- [Running Ansible in a container on the Matrix server itself](#running-ansible-in-a-container-on-the-matrix-server-itself)
- [Running Ansible in a container on another computer (not the Matrix server)](#running-ansible-in-a-container-on-another-computer-not-the-matrix-server)
### Running Ansible in a container on the Matrix server itself
To run Ansible in a (Docker) container on the Matrix server itself, you need to have a working Docker installation.
Docker is normally installed by the playbook, so this may be a bit of a chicken and egg problem. To solve it:
- you **either** need to install Docker manually first. Follow [the upstream instructions](https://docs.docker.com/engine/install/) for your distribution and consider setting `matrix_docker_installation_enabled: false` in your `vars.yml` file, to prevent the playbook from installing Docker
- **or** you need to run the playbook in another way (e.g. [Running Ansible in a container on another computer (not the Matrix server)](#running-ansible-in-a-container-on-another-computer-not-the-matrix-server)) at least the first time around
Once you have a working Docker installation on the server, **clone the playbook** somewhere on the server and configure it as per usual (`inventory/hosts`, `inventory/host_vars/..`, etc.), as described in [configuring the playbook](configuring-playbook.md).
You would then need to add `ansible_connection=community.docker.nsenter` to the host line in `inventory/hosts`. This tells Ansible to connect to the "remote" machine by switching Linux namespaces with [nsenter](https://man7.org/linux/man-pages/man1/nsenter.1.html), instead of using SSH.
Alternatively, you can leave your `inventory/hosts` as is and specify the connection type in **each** `ansible-playbook` call you do later, like this: `ansible-playbook --connection=community.docker.nsenter ...`
Run this from the playbook's directory:
```bash
docker run -it --rm \
--privileged \
--pid=host \
-w /work \
-v `pwd`:/work \
--entrypoint=/bin/sh \
docker.io/devture/ansible:2.13.0-r0
```
Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
The `/work` directory contains the playbook's code.
You can execute `ansible-playbook ...` (or `ansible-playbook --connection=community.docker.nsenter ...`) commands as per normal now.
### Running Ansible in a container on another computer (not the Matrix server)
Run this from the playbook's directory:
```bash
docker run -it --rm \
@ -51,7 +92,7 @@ docker run -it --rm \
-v `pwd`:/work \
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
--entrypoint=/bin/sh \
docker.io/devture/ansible:2.11.6-r1
docker.io/devture/ansible:2.13.0-r0
```
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
@ -60,9 +101,9 @@ If your SSH key is at a different path (not in `$HOME/.ssh/id_rsa`), adjust that
Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
The `/work` directory contains the playbook's code.
You can execute `ansible-playbook` commands as per normal now.
You can execute `ansible-playbook ...` commands as per normal now.
### If you don't use SSH keys for authentication
#### If you don't use SSH keys for authentication
If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`).
To authenticate at your server using a password, you need to add a package. So, when you are in the shell of the ansible docker container (the previously used `docker run -it ...` command), run:

BIN
docs/assets/obtain_admin_access_token_element.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 205 KiB

38
docs/configuring-awx-system.md
Unescape View File

@ -1,38 +0,0 @@
# Configuring AWX System (optional)
An AWX setup for managing multiple Matrix servers.
This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers.
Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. These playbooks are free to use in a commercial context with the 'MemberPress Plus' plugin. They can also be run in a non-commercial context.
The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
This system can manage the updates, configuration, import and export, backups and monitoring on its own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
## Other Required Playbooks
The following repositories allow you to copy and use this setup:
[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you.
[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions. Also includes other administrative playbooks for updates, backups and restoring servers.
[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
[GMHosting External Tools](https://gitlab.com/GoMatrixHosting/gmhosting-external-tools) - Extra tools we run outside of AWX, some of which are experimental.
## Does I need an AWX setup to use this? How do I configure it?
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation_AWX.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_AWX.md).
For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal_AWX.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal_AWX.md).
## Does I need a front-end WordPress site? And a DigitalOcean account?
You do not need a front-end WordPress site or the MemberPress plugin to use this setup. It can be run on it's own in a non-commercial context.
You also don't need a DigitalOcean account, although this will limit you to only being able to connect 'On-Premises' servers.

10
docs/configuring-dns.md
Unescape View File

@ -36,8 +36,10 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
| CNAME | `stats` | - | - | - | `matrix.<your-domain>` |
| CNAME | `goneb` | - | - | - | `matrix.<your-domain>` |
| CNAME | `sygnal` | - | - | - | `matrix.<your-domain>` |
| CNAME | `ntfy` | - | - | - | `matrix.<your-domain>` |
| CNAME | `hydrogen` | - | - | - | `matrix.<your-domain>` |
| CNAME | `cinny` | - | - | - | `matrix.<your-domain>` |
| CNAME | `buscarron` | - | - | - | `matrix.<your-domain>` |
## Subdomains setup
@ -56,17 +58,21 @@ The `goneb.<your-domain>` subdomain may be necessary, because this playbook coul
The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
The `ntfy.<your-domain>` subdomain may be necessary, because this playbook could install the [ntfy](https://ntfy.sh/) UnifiedPush-compatible push notifications server. The installation of ntfy is disabled by default, it is not a core required component. To learn how to install it, see our [configuring ntfy guide](configuring-playbook-ntfy.md). If you do not wish to set up ntfy, feel free to skip the `ntfy.<your-domain>` DNS record.
The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
The `cinny.<your-domain>` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.<your-domain>` DNS record.
The `buscarron.<your-domain>` subdomain may be necessary, because this playbook could install the [buscarron](https://github.com/etke.cc/buscarron) bot. The installation of buscarron is disabled by default, it is not a core required component. To learn how to install it, see our [configuring buscarron guide](configuring-playbook-bot-buscarron.md). If you do not wish to set up buscarron, feel free to skip the `buscarron.<your-domain>` DNS record.
## `_matrix-identity._tcp` SRV record setup
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) enable its federation features, set up an SRV record that looks like this:
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook may optionally install for you) enable its federation features, set up an SRV record that looks like this:
- Name: `_matrix-identity._tcp` (use this text as-is)
- Content: `10 0 443 matrix.<your-domain>` (replace `<your-domain>` with your own)
This is an optional feature. See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
This is an optional feature for the optionally-installed [ma1sd service](configuring-playbook-ma1sd.md). See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.

69
docs/configuring-playbook-backup-borg.md
Unescape View File

@ -0,0 +1,69 @@
# Setting up borg backup (optional)
The playbook can install and configure [borgbackup](https://www.borgbackup.org/) with [borgmatic](https://torsion.org/borgmatic/) for you.
BorgBackup is a deduplicating backup program with optional compression and encryption.
That means your daily incremental backups can be stored in a fraction of the space and is safe whether you store it at home or on a cloud service.
You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com).
The backup will run based on `matrix_backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `matrix_backup_borg_postgresql_enabled` variable.
## Prerequisites
1. Create a new SSH key:
```bash
ssh-keygen -t ed25519 -N '' -f matrix-borg-backup -C matrix
```
This can be done on any machine and you don't need to place the key in the `.ssh` folder. It will be added to the Ansible config later.
2. Add the **public** part of this SSH key (the `matrix-borg-backup.pub` file) to your borg provider/server:
If you plan to use a hosted solution, follow their instructions. If you have your own server, copy the key over:
```bash
# example to append the new PUBKEY contents, where:
# PUBKEY is path to the public key,
# USER is a ssh user on a provider / server
# HOST is a ssh host of a provider / server
cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc'
```
## Adjusting the playbook configuration
Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable borg backup:
```yaml
matrix_backup_borg_enabled: true
matrix_backup_borg_location_repositories:
- USER@HOST:REPO
matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE"
matrix_backup_borg_ssh_key_private: |
PRIVATE KEY
```
where:
* USER - SSH user of a provider/server
* HOST - SSH host of a provider/server
* REPO - borg repository name, it will be initialized on backup start, eg: `matrix`
* PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager
* PRIVATE KEY - the content of the **private** part of the SSH key you created before
To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
`matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable.
Check the `roles/matrix-backup-borg/defaults/main.yml` file for the full list of available options.
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```

75
docs/configuring-playbook-bot-buscarron.md
Unescape View File

@ -0,0 +1,75 @@
# Setting up Buscarron (optional)
The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/buscarron) for you.
It's a bot you can use to setup **your own helpdesk on matrix**
It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) matrix room
## Registering the bot user
By default, the playbook will set up the bot with a username like this: `@bot.buscarron:DOMAIN`.
(to use a different username, adjust the `matrix_bot_buscarron_login` variable).
You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.buscarron password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
```
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_bot_buscarron_enabled: true
# Adjust this to whatever password you chose when registering the bot user
matrix_bot_buscarron_password: PASSWORD_FOR_THE_BOT
# Adjust accepted forms
matrix_bot_buscarron_forms:
- name: contact # (mandatory) Your form name, will be used as endpoint, eg: buscarron.DOMAIN/contact
room: "!yourRoomID:DOMAIN" # (mandatory) Room ID where form submission will be posted
redirect: https://DOMAIN # (mandatory) To what page user will be redirected after the form submission
ratelimit: 1r/m # (optional) rate limit of the form, format: <max requests>r/<interval:s,m>, eg: 1r/s or 54r/m
extensions: [] # (optional) list of form extensions (not used yet)
matrix_bot_buscarron_spam_hosts: [] # (optional) list of email domains/hosts that should be rejected automatically
matrix_bot_buscarron_spam_emails: [] # (optional) list of email addresses that should be rejected automatically
```
You will also need to add a DNS record so that buscarron can be accessed.
By default buscarron will use https://buscarron.DOMAIN so you will need to create an CNAME record for `buscarron`.
See [Configuring DNS](configuring-dns.md).
If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain):
```yaml
matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To use the bot, invite the `@bot.buscarron:DOMAIN` to the room you specified in a config, after that any point your form to the form url, example for the `contact` form:
```html
<form method="POST" action="https://buscarron.DOMAIN/contact">
<!--your fields-->
</form>
```
You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/buscarron).

72
docs/configuring-playbook-bot-matrix-registration-bot.md
Unescape View File

@ -0,0 +1,72 @@
# Setting up matrix-registration-bot (optional)
The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you.
The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server,
where you invite someone by sending them a registration token. They can register as normal but have to provide a valid
registration token in a final step of the registration.
See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it
does and why it might be useful to you.
## Registering the bot user
By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`.
(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable).
You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user
```
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
## Obtaining an admin access token
In order to use the bot you need to add an admin user's access token token to the configuration. As you created an admin user for the
bot, it is recommended to obtain an access token by logging into Element/Schildichat with the bot account
(using the password you set) and navigate to `Settings->Help&About` and scroll to the bottom.
You can expand "Access token" to copy it.
![Obatining an admin access token with Element](assets/obtain_admin_access_token_element.png)
**IMPORTANT**: once you copy the token, just close the Matrix client window/tab. Do not "log out", as that would invalidate the token.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_bot_matrix_registration_bot_enabled: true
# Token obtained via logging into the bot account (see above)
matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE"
# Enables registration
matrix_synapse_enable_registration: true
# Restrict registration to users with a token
matrix_synapse_registration_requires_token: true
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
In this room send `help` and the bot will reply with all options.
You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands).
If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md)
or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).

2
docs/configuring-playbook-bot-matrix-reminder-bot.md
Unescape View File

@ -54,6 +54,6 @@ You can also add the bot to any existing Matrix room (`/invite @bot.matrix-remin
Basic usage is like this: `!remindme in 2 minutes; This is a test`
Send `!help commands` to the room to see the bot's help menu for additional commands.
Send `!help reminders` to the room to see the bot's help menu for additional commands.
You can also refer to the upstream [Usage documentation](https://github.com/anoadragon453/matrix-reminder-bot#usage).

52
docs/configuring-playbook-bridge-appservice-discord.md
Unescape View File

@ -23,31 +23,55 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
```
5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
6. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
7. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
8. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.
Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.
## Self-Service Bridging (Manual)
## Getting Administrator access in a room
Self-service bridging allows you to bridge specific and existing Matrix rooms to specific Discord rooms. This is disabled by default, so it must be enabled by adding this to your `vars.yml`:
By default, you won't have Administrator access in rooms created by the bridge.
```yaml
matrix_appservice_discord_bridge_enableSelfServiceBridging: true
```
To [adjust room access privileges](#adjusting-room-access-privileges) or do various other things (change the room name subsequently, etc.), you'd wish to become an Administrator.
_Note: If self-service bridging is not enabled, `!discord help` commands will return no results._
There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server:
Once self-service is enabled:
```sh
docker exec -it matrix-appservice-discord \
/bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100'
1. Start a chat with `@_discord_bot:<YOUR_DOMAIN>` and say `!discord help bridge`.
2. Follow the instructions in the help output message. If the bot is not already in the Discord server, follow the provided invite link. This may require you to be a administrator of the Discord server.
_Note: Encrypted Matrix rooms are not supported as of writing._
On the Discord side, you can say `!matrix help` to get a list of available commands to manage the bridge and Matrix users.
## Portal Bridging (Automatic)
Through portal bridging, Matrix rooms will automatically be created by the bot and bridged to the relevant Discord room. This is done by simply joining a room with a specific name pattern (`#_discord_<guildID>_<channlID>`).
All Matrix rooms created this way are **listed publicly** by default, and you will not have admin permissions to change this. To get more control, [make yourself a room Administrator](#getting-administrator-access-in-a-portal-bridged-room). You can then unlist the room from the directory and change the join rules.
If you want to disable portal bridging, set the following in `vars.yml`:
```yaml
matrix_appservice_discord_bridge_disablePortalBridging: true
```
To get started with Portal Bridging:
## Adjusting room access privileges
1. To invite the bot to Discord, retrieve the invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
2. Room addresses follow this syntax: `#_discord_<guildID>_<channelID>`. You can easily find the guild and channel IDs by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discord.com/channels/<guildID>/<channelID>`.
3. Once you have figured out the appropriate room address, you can join by doing `/join #_discord_<guildID>_<channelID>` in your Matrix client.
All rooms created by the bridge are **listed publicly** in your server's directory and **joinable by everyone** by default.
## Getting Administrator access in a portal bridged room
To get more control of them, [make yourself a room Administrator](#getting-administrator-access-in-a-room) first.
By default, you won't have Administrator access in rooms created by the bridge.
To adjust room access privileges or do various other things (change the room name subsequently, etc.), you'd wish to become an Administrator.
You can then unlist the room from the directory and change the join rules.
There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server:
```sh
docker exec -it matrix-appservice-discord \
/bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100'
```

2
docs/configuring-playbook-bridge-appservice-slack.md
Unescape View File

@ -11,7 +11,7 @@ See the project's [documentation](https://github.com/matrix-org/matrix-appservic
loosely based on [this](https://github.com/matrix-org/matrix-appservice-slack#Setup)
1. Create a new Matrix room to act as the administration control room. Note its internal room ID. This can
be done in Riot by making a message, opening the options for that message and choosing "view source". The
be done in Element by making a message, opening the options for that message and choosing "view source". The
room ID will be displayed near the top.
2. Enable the bridge with the following configuration in your `vars.yml` file:

2
docs/configuring-playbook-bridge-appservice-webhooks.md
Unescape View File

@ -2,6 +2,8 @@
The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you.
Note: This bridge is no longer maintained. While not a 1:1 replacement, the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) as a replacement, which can also be installed using [this playbook](configuring-playbook-bridge-hookshot.md).
This bridge provides support for Slack-compatible webhooks.
Setup Instructions:

23
docs/configuring-playbook-bridge-go-skype-bridge.md
Unescape View File

@ -0,0 +1,23 @@
# Setting up Go Skype Bridge (optional)
The playbook can install and configure
[go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) for you.
See the project page to learn what it does and why it might be useful to you.
To enable the [Skype](https://www.skype.com/) bridge just use the following
playbook configuration:
```yaml
matrix_go_skype_bridge_enabled: true
```
## Usage
Once the bot is enabled, you need to start a chat with `Skype bridge bot`
with the handle `@skypebridgebot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base
domain, not the `matrix.` domain).
Send `help` to the bot to see the commands available.

77
docs/configuring-playbook-bridge-hookshot.md
Unescape View File

@ -0,0 +1,77 @@
# Setting up Hookshot (optional)
The playbook can install and configure [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) for you.
Hookshot can bridge [Webhooks](https://en.wikipedia.org/wiki/Webhook) from software project management services such as GitHub, GitLab, JIRA, and Figma, as well as generic webhooks.
See the project's [documentation](https://matrix-org.github.io/matrix-hookshot/latest/hookshot.html) to learn what it does in detail and why it might be useful to you.
Note: the playbook also supports [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), which however is soon to be archived by its author and to be replaced by hookshot.
## Setup Instructions
Refer to the [official instructions](https://matrix-org.github.io/matrix-hookshot/latest/setup.html) to learn what the individual options do.
1. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/matrix-bridge-hookshot/defaults/main.yml) as required.
2. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma).
3. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below.
4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`.
5. Refer to [Hookshot's official instructions](https://matrix-org.github.io/matrix-hookshot/latest/usage.html) to start using the bridge. **Important:** Note that the different listeners are bound to certain paths which might differ from those assumed by the hookshot documentation, see [URLs for bridges setup](urls-for-bridges-setup) below.
Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/matrix-bridge-hookshot/defaults/main.yml) for how to use them.
### URLs for bridges setup
Unless indicated otherwise, the following endpoints are reachable on your `matrix.` subdomain (if the feature is enabled).
| listener | default path | variable | used as |
|---|---|---|---|
| webhooks | `/hookshot/webhooks/` | `matrix_hookshot_webhook_endpoint` | generics, GitHub "Webhook URL", GitLab "URL", etc. |
| github oauth | `/hookshot/webhooks/oauth` | `matrix_hookshot_github_oauth_endpoint` | GitHub "Callback URL" |
| jira oauth | `/hookshot/webhooks/jira/oauth` | `matrix_hookshot_jira_oauth_endpoint` | JIRA OAuth |
| figma endpoint | `/hookshot/webhooks/figma/webhook` | `matrix_hookshot_figma_endpoint` | Figma |
| provisioning | `/hookshot/v1/` | `matrix_hookshot_provisioning_endpoint` | Dimension [provisioning](#provisioning-api) |
| appservice | `/hookshot/_matrix/app/` | `matrix_hookshot_appservice_endpoint` | Matrix server |
| widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets |
| metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and `matrix_hookshot_metrics_proxying_enabled`. Requires `/metrics/*` endpoints to also be enabled via `matrix_nginx_proxy_proxy_matrix_metrics_enabled` (see the `matrix-nginx-proxy` role). Read more in the [Metrics section](#metrics) below. | Prometheus |
See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/matrix-bridge-hookshot/tasks/init.yml).
The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/matrix-bridge-hookshot/defaults/main.yml) in detail for more info.
### Manage GitHub Private Key with matrix-aux role
The GitHub bridge requires you to install a private key file. This can be done in multiple ways:
- copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/matrix-bridge-hookshot/defaults/main.yml)).
- somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually.
- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server.
To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this:
```yaml
matrix_aux_file_definitions:
- dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
mode: '0400'
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
```
For more info see the documentation in the [matrix-aux base configuration file](/roles/matrix-aux/defaults/main.yml).
### Provisioning API
The provisioning API will be enabled automatically if you set `matrix_dimension_enabled: true` and provided a `matrix_hookshot_provisioning_secret`, unless you override it either way. To use hookshot with dimension, you will need to enter as "Provisioning URL": `http://matrix-hookshot:9002`, which is made up of the variables `matrix_hookshot_container_url` and `matrix_hookshot_provisioning_port`.
### Metrics
Metrics are **only enabled by default** if the builtin [Prometheus](configuring-playbook-prometheus-grafana.md) is enabled (by default, Prometheus isn't enabled). If so, metrics will automatically be collected by Prometheus and made available in Grafana. You will, however, need to set up your own Dashboard for displaying them.
To explicitly enable metrics, use `matrix_hookshot_metrics_enabled: true`. This only exposes metrics over the container network, however.
**To collect metrics from an external Prometheus server**, besides enabling metrics as described above, you will also need to:
- enable the `https://matrix.DOMAIN/metrics/*` endpoints on `matrix.DOMAIN` using `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` (see the `matrix-nginx-role` or [the Prometheus and Grafana docs](configuring-playbook-prometheus-grafana.md) for enabling this feature)
- expose the Hookshot metrics under `https://matrix.DOMAIN/metrics/hookshot` by setting `matrix_hookshot_metrics_proxying_enabled: true`
### Collision with matrix-appservice-webhooks
If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_user_id_prefix: '_webhooks_'`).

43
docs/configuring-playbook-bridge-mautrix-facebook.md
Unescape View File

@ -24,10 +24,22 @@ If you would like to be able to administrate the bridge from your account it can
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:YOUR_DOMAIN': admin
'@YOUR_USERNAME:{{ matrix_domain }}': admin
```
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
Using both would look like
```yaml
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:{{ matrix_domain }}': admin
encryption:
allow: true
default: true
```
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` and `roles/matrix-bridge-mautrix-facebook/defaults/main.yml` to find other things you would like to configure.
## Set up Double Puppeting
@ -70,31 +82,6 @@ If you run into trouble, check the [Troubleshooting](#troubleshooting) section b
After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so.
## Set up community-grouping
This is an **optional feature** that you may wish to enable.
The Facebook bridge can create a Matrix community for you, which would contain all your chats and contacts.
For this to work, the bridge's bot needs to have permissions to create communities (also referred to as groups).
Since the bot is a non-admin user, you need to enable such group-creation for non-privileged users in [Synapse's settings](configuring-playbook-synapse.md).
Here's an example configuration:
```yaml
matrix_synapse_configuration_extension_yaml: |
enable_group_creation: true
group_creation_prefix: "unofficial/"
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
community_template: "unofficial/facebook_{localpart}={server}"
```
Once the bridge is restarted, it would create a community and invite you to it. You need to accept the community invitation manually.
If you don't see all your contacts, you may wish to send a `sync` message to the bot.
## Troubleshooting
### Facebook rejecting login attempts and forcing you to change password
@ -116,3 +103,5 @@ Once connected, you should be able to verify that you're browsing the web throug
Then proceed to log in to [Facebook/Messenger](https://www.facebook.com/).
Once logged in, proceed to [set up bridging](#usage).
If that doesn't work, enable 2FA [Facebook help page on enabling 2FA](https://www.facebook.com/help/148233965247823) and try to login again with a new password, and entering the 2FA code when prompted, it may take more then one try, in between attempts, check facebook.com to see if they are requiring another password change

26
docs/configuring-playbook-bridge-mautrix-instagram.md
Unescape View File

@ -7,6 +7,32 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/instagram/i
```yaml
matrix_mautrix_instagram_enabled: true
```
There are some additional things you may wish to configure about the bridge before you continue.
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
```yaml
matrix_mautrix_instagram_configuration_extension_yaml: |
bridge:
encryption:
allow: true
default: true
```
If you would like to be able to administrate the bridge from your account it can be configured like this:
```yaml
# The easy way. The specified Matrix user ID will be made an admin of all bridges
matrix_admin: "@YOUR_USERNAME:{{ matrix_domain }}"
# OR:
# The more verbose way. Applies to this bridge only. You may define multiple Matrix users as admins.
matrix_mautrix_instagram_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:YOUR_DOMAIN': admin
```
You may wish to look at `roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2` and `roles/matrix-bridge-mautrix-instagram/defaults/main.yml` to find other things you would like to configure.
## Usage

15
docs/configuring-playbook-bridge-mautrix-telegram.md
Unescape View File

@ -49,4 +49,19 @@ If you want to use the relay-bot feature ([relay bot documentation](https://docs
```yaml
matrix_mautrix_telegram_bot_token: YOUR_TELEGRAM_BOT_TOKEN
matrix_mautrix_telegram_configuration_extension_yaml: |
bridge:
permissions:
'*': relaybot
```
You might also want to give permissions to administrate the bot:
```yaml
matrix_mautrix_telegram_configuration_extension_yaml: |
bridge:
permissions:
'@user:DOMAIN': admin
```
More details about permissions in this example:
https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml#L410

2
docs/configuring-playbook-bridge-mx-puppet-discord.md
Unescape View File

@ -7,6 +7,8 @@ The playbook can install and configure
See the project page to learn what it does and why it might be useful to you.
**Note**: we actually use the [Beeper](https://www.beeper.com/)-maintained [fork of mx-puppet-discord](https://gitlab.com/beeper/mx-puppet-monorepo), because `matrix-discord/mx-puppet-discord` is a low-quality and poorly maintained project.
To enable the [Discord](https://discordapp.com/) bridge just use the following
playbook configuration:

2
docs/configuring-playbook-bridge-mx-puppet-skype.md
Unescape View File

@ -1,5 +1,7 @@
# Setting up MX Puppet Skype (optional)
**Note**: bridging to [Skype](https://www.skype.com/) can also happen via the [go-skype-bridge](configuring-playbook-bridge-go-skype-bridge.md) bridge supported by the playbook. In fact, bridging via `mx-puppet-skype` has often been reported as broken, so we recommend that you go directly for `go-skype-bridge`, instead of this.
The playbook can install and configure
[mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you.

35
docs/configuring-playbook-bridge-mx-puppet-slack.md
Unescape View File

@ -1,20 +1,33 @@
# Setting up MX Puppet Slack (optional)
**Note**: bridging to [Slack](https://slack.com) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook.
**Note**: bridging to [Slack](https://slack.com) can also happen via the
[matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md)
bridge supported by the playbook.
The playbook can install and configure
[mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you.
The playbook can install and configure [Beeper](https://www.beeper.com/)-maintained fork of
[mx-puppet-slack](https://gitlab.com/beeper/mx-puppet-monorepo) for you.
See the project page to learn what it does and why it might be useful to you.
To enable the [Slack](https://slack.com/) bridge just use the following
playbook configuration:
```yaml
matrix_mx_puppet_slack_enabled: true
```
## Setup
To enable the [Slack](https://slack.com/) bridge:
1. Follow the
[OAuth credentials](https://github.com/Sorunome/mx-puppet-slack#option-2-oauth)
instructions to create a new Slack app, setting the redirect URL to
`https://matrix.YOUR_DOMAIN/slack/oauth`.
2. Update your `vars.yml` with the following:
```yaml
matrix_mx_puppet_slack_enabled: true
# Client ID must be quoted so YAML does not parse it as a float.
matrix_mx_puppet_slack_oauth_client_id: "<SLACK_APP_CLIENT_ID>"
matrix_mx_puppet_slack_oauth_client_secret: "<SLACK_APP_CLIENT_SECRET>"
```
3. Run playbooks with `setup-all` and `start` tags:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage

3
docs/configuring-playbook-dimension.md
Unescape View File

@ -22,7 +22,7 @@ matrix_dimension_enabled: true
## Define admin users
These users can modify the integrations this Dimension supports. Admin interface is accessible at `https://dimension.<your-domain>/riot-app/admin` after logging in to element.
These users can modify the integrations this Dimension supports.
Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
@ -31,6 +31,7 @@ matrix_dimension_admins:
- "@user2:{{ matrix_domain }}"
```
The admin interface is accessible within Element by accessing it in any room and clicking the cog wheel/settings icon in the top right. Currently, Dimension can be opened in Element by the "Add widgets, bridges, & bots" link in the room information.
## Access token

8
docs/configuring-playbook-external-postgres.md
Unescape View File

@ -5,7 +5,9 @@ If that's alright, you can skip this.
If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
It should be something like this:
**NOTE**: using **an external Postgres server is currently [not very seamless](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1682#issuecomment-1061461683) when it comes to enabling various other playbook services** - you will need to create a new database/credentials for each service and to point each service to its corresponding database using custom `vars.yml` configuration. **For the best experience with the playbook, stick to using the integrated Postgres server**.
If you'd like to use an external Postgres server, use a custom `vars.yml` configuration like this:
```yaml
matrix_postgres_enabled: false
@ -15,6 +17,10 @@ matrix_synapse_database_host: "your-postgres-server-hostname"
matrix_synapse_database_user: "your-postgres-server-username"
matrix_synapse_database_password: "your-postgres-server-password"
matrix_synapse_database_database: "your-postgres-server-database-name"
# Rewire any other service (each `matrix-*` role) you may wish to use to use your external Postgres server.
# Each service expects to have its own dedicated database on the Postgres server
# and uses its own variable names (see `roles/matrix-*/defaults/main.yml) for configuring Postgres connectivity.
```
The database (as specified in `matrix_synapse_database_database`) must exist and be accessible with the given credentials.

17
docs/configuring-playbook-federation.md
Unescape View File

@ -47,3 +47,20 @@ matrix_synapse_federation_port_enabled: false
# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
```
## Changing the federation port from 8448 to a different port to use a CDN that only accepts 443/80 ports
Why? This change could be useful for people running small Synapse instances on small severs/VPSes to avoid being impacted by a simple DOS/DDOS when bandwidth, RAM, an CPU resources are limited and if your hosting provider does not provide a DOS/DDOS protection.
The following changes in the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) will allow this and make it possible to proxy the federation through a CDN such as CloudFlare or any other:
```
matrix_synapse_http_listener_resource_names: ["client","federation"]
# Any port can be used but in this case we use 443
matrix_federation_public_port: 443
matrix_synapse_federation_port_enabled: false
# Note that the following change might not be "required per se" but probably will be due to the proxying of the traffic through the CDN proxy servers (CloudFlare for instance). The security impact of doing this should be minimal as your CDN itself will encrypt the traffic no matter what on their proxy servers. You could however first try and see if federation works while setting the following to true.
matrix_synapse_tls_federation_listener_enabled: false
```
**Use this at you own risk as all the possible side-effects of doing this are not fully known. However, it has been tested and works fine and passes all the tests on <https://federationtester.matrix.org/> without issues.**

16
docs/configuring-playbook-ma1sd.md
Unescape View File

@ -1,24 +1,22 @@
# Adjusting ma1sd Identity Server configuration (optional)
By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.
The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
This server is private by default, potentially at the expense of user discoverability.
*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
**Note**: enabling ma1sd, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
## Disabling ma1sd
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
If you'd like for the playbook to not install ma1sd (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
To enable ma1sd, use the following additional configuration in your `vars.yml` file:
```yaml
matrix_ma1sd_enabled: false
matrix_ma1sd_enabled: true
```
## Matrix.org lookup forwarding
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).

2
docs/configuring-playbook-matrix-registration.md
Unescape View File

@ -2,6 +2,8 @@
The playbook can install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration) for you.
**WARNING**: this is a poorly maintained and buggy project. It's better to avoid using it.
> matrix-registration is a simple python application to have a token based matrix registration.
Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows you to **keep your server's registration closed (private)**, but still allow certain people (these having a special link) to register a user account.

63
docs/configuring-playbook-ntfy.md
Unescape View File

@ -0,0 +1,63 @@
# Setting up ntfy (optional)
The playbook can install and configure the [ntfy](https://ntfy.sh/) push notifications server for you.
Using the [UnifiedPush](https://unifiedpush.org) standard, ntfy enables self-hosted (Google-free) push notifications from Matrix (and other) servers to UnifiedPush-compatible matrix compatible client apps running on Android and other devices.
This role is intended to support UnifiedPush notifications for use with the Matrix and Matrix-related services that this playbook installs. This role is not intended to support all of ntfy's other features.
**Note**: In contrast to push notifications using Google's FCM or Apple's APNs, the use of UnifiedPush allows each end-user to choose the push notification server that they prefer. As a consequence, deploying this ntfy server does not by itself ensure any particular user or device or client app will use it.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
```yaml
# Enabling it is the only required setting
matrix_ntfy_enabled: true
# Some other options
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
matrix_ntfy_configuration_extension_yaml: |
log_level: DEBUG
```
For a more complete list of variables that you could override, see `roles/matrix-ntfy/defaults/main.yml`.
For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
## Installing
Don't forget to add `ntfy.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To make use of your ntfy installation, on Android for example, first you need to install the `ntfy` client app and configure it to point to your ntfy server, such as `https://ntfy.DOMAIN`. That is the only thing you need to do in the ntfy client app. (It has many other features, but for our purposes you can ignore them.)
Then any UnifiedPush-enabled matrix app on that device will discover it and tell your matrix server to use your ntfy server to send push notifications to that matrix app.
If the matrix app asks, "Choose a distributor: FCM Fallback or ntfy", then choose "ntfy".
If the matrix app doesn't seem to pick it up, try restarting it and try the Troubleshooting section below.
## Troubleshooting
First check that the matrix client app you are using supports UnifiedPush. There may well be different variants of the app.
Set the ntfy server's log level to 'DEBUG', as shown in the example settings above, and watch the server's logs with `sudo journalctl -fu matrix-ntfy`.
To check if UnifiedPush is correctly configured on the client device, look at "Settings -> Notifications -> Notification Targets" in Element-Android or SchildiChat, or "Settings -> Notifications -> Devices" in FluffyChat. There should be one entry for each matrix client app that has enabled push notifications, and when that client is using UnifiedPush you should see a URL that begins with your ntfy server's URL. In Element-Android or SchildiChat, two URLs are shown: "push\_key" and "Url", and both should begin with your ntfy server's URL.
If it is not working, useful tools are "Settings -> Notifications -> Re-register push distributor" and "Settings -> Notifications -> Troubleshoot Notifications" in SchildiChat (possibly also Element-Android). In particular the "Endpoint/FCM" step of that troubleshooter should display your ntfy server's URL that it has discovered from the ntfy client app.
The simple [UnifiedPush troubleshooting](https://unifiedpush.org/users/troubleshooting/) app [UP-Example](https://f-droid.org/en/packages/org.unifiedpush.example/) can be used to manually test UnifiedPush registration and operation on an Android device.

8
docs/configuring-playbook-own-webserver.md
Unescape View File

@ -57,6 +57,14 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue.
If you are not going to be running your webserver on the same docker network, or the same machine as matrix, these variables can be set to bind synapse to an exposed port. [Keep in mind that there are some security concerns if you simply proxy everything to it](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints)
```yaml
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048" or "192.168.1.3:80"), or empty string to not expose.
matrix_synapse_container_client_api_host_bind_port: ''
matrix_synapse_container_federation_api_plain_host_bind_port: ''
```
### Using your own external Apache webserver

3
docs/configuring-playbook-postgres-backup.md
Unescape View File

@ -2,6 +2,9 @@
The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you.
For a more complete backup solution (one that includes not only Postgres, but also other configuration/data files), you may wish to look into [borg backup](configuring-playbook-backup-borg.md) instead.
## Adjusting the playbook configuration
Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup:

89
docs/configuring-playbook-prometheus-grafana.md
Unescape View File

@ -9,8 +9,12 @@ Remember to add `stats.<your-domain>` to DNS as described in [Configuring DNS](c
```yaml
matrix_prometheus_enabled: true
# You can remove this, if unnecessary.
matrix_prometheus_node_exporter_enabled: true
# You can remove this, if unnecessary.
matrix_prometheus_postgres_exporter_enabled: true
matrix_grafana_enabled: true
matrix_grafana_anonymous_access: false
@ -25,6 +29,8 @@ matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you"
By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.<your-domain>`.
The retention policy of Prometheus metrics is [15 days by default](https://prometheus.io/docs/prometheus/latest/storage/#operational-aspects). Older data gets deleted automatically.
## What does it do?
@ -32,6 +38,7 @@ Name | Description
-----|----------
`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
`matrix_prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures
`matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus.
`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.<your-domain>` subdomain) the dashboards with the graphs that we're interested in
`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option.
`matrix_grafana_default_admin_user`<br>`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here
@ -46,28 +53,55 @@ Most of our docker containers run with limited system access, but the `prometheu
## Collecting metrics to an external Prometheus server
If you wish, you could expose homeserver metrics without enabling (installing) Prometheus and Grafana via the playbook. This may be useful for hooking Matrix services to an external Prometheus/Grafana installation.
**If the integrated Prometheus server is enabled** (`matrix_prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly".
When you'd like **to collect metrics from an external Prometheus server**, you need to expose service metrics outside of the container network.
To do this, you may be interested in the following variables:
The playbook provides a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/hookshot`, etc). To enable this `/metrics/*` feature, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled` below.
The following variables may be of interest:
Name | Description
-----|----------
`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`|Set this to `true` to protect all `https://matrix.DOMAIN/metrics/*` endpoints with [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (see the other variables below for supplying the actual credentials). When enabled, all endpoints beneath `/metrics` will be protected with the same credentials
`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username`|Set this to the Basic Authentication username you'd like to protect `/metrics/*` with. You also need to set `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`. If one username/password pair is not enough, you can leave the `username` and `password` variables unset and use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead
`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`|Set this to the Basic Authentication password you'd like to protect `/metrics/*` with
`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs. If you only need one credential, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` instead.
`matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network)
`matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable). Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx.
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)
`matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`).
`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network)
`matrix_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network)
`matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
`matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`
`matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below)
Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations:
```nginx
matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks:
- 'location /metrics/another-service {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-another-service:9100/metrics;
}'
```
Using `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` (see above).
### Collecting worker metrics to an external Prometheus server
Note : The playbook will hash the basic_auth password for you on setup. Thus, you need to give the plain-text version of the password as a variable.
If you are using workers (`matrix_synapse_workers_enabled`) and have enabled `matrix_nginx_proxy_proxy_synapse_metrics` as described above, the playbook will also automatically proxy the all worker threads's metrics to `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`.
### Collecting Synapse worker metrics to an external Prometheus server
The playbook also generates an exemplary prometheus.yml config file (`matrix_base_data_path/external_prometheus.yml.template`) with all the correct paths which you can copy to your Prometheus server and adapt to your needs, especially edit the specified `password_file` path and contents and path to your `synapse-v2.rules`.
If you are using workers (`matrix_synapse_workers_enabled: true`) and have enabled `matrix_synapse_metrics_proxying_enabled` as described above, the playbook will also automatically expose all Synapse worker threads' metrics to `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`.
The playbook also generates an exemplary config file (`/matrix/synapse/external_prometheus.yml.template`) with all the correct paths which you can copy to your Prometheus server and adapt to your needs. Make sure to edit the specified `password_file` path and contents and path to your `synapse-v2.rules`.
It will look a bit like this:
```yaml
scrape_configs:
- job_name: 'synapse'
metrics_path: /_synapse/metrics
metrics_path: /metrics/synapse/main-process
scheme: https
basic_auth:
username: prometheus
@ -78,7 +112,7 @@ scrape_configs:
job: "master"
index: 1
- job_name: 'synapse-generic_worker-1'
metrics_path: /_synapse-worker-generic_worker-18111/metrics
metrics_path: /metrics/synapse/worker/generic_worker-18111
scheme: https
basic_auth:
username: prometheus
@ -90,38 +124,6 @@ scrape_configs:
index: 18111
```
### Collecting system and Postgres metrics to an external Prometheus server (advanced)
When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats.
It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network.
Use the following variables in addition to the ones mentioned above:
Name | Description
-----|----------
`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy
`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain
`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter
`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below)
```nginx
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks:
- 'location /node-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-node-exporter:9100/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
- 'location /postgres-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-postgres-exporter:9187/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
```
You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187.
## More information
@ -129,4 +131,3 @@ You can customize the `location`s to your liking, just point your Prometheus to
- [The Prometheus scraping rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus) (we use v2)
- [The Synapse Grafana dashboard](https://github.com/matrix-org/synapse/tree/master/contrib/grafana)
- [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs)

8
docs/configuring-playbook-prometheus-postgres.md
Unescape View File

@ -7,11 +7,6 @@ You can enable this with the following settings in your configuration file (`inv
```yaml
matrix_prometheus_postgres_exporter_enabled: true
# the role creates a postgres user as credential. You can configure these if required:
matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter'
matrix_prometheus_postgres_exporter_database_password: 'some-password'
```
## What does it do?
@ -20,7 +15,8 @@ Name | Description
-----|----------
`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database.
`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
## More information

15
docs/configuring-playbook-ssl-certificates.md
Unescape View File

@ -67,8 +67,14 @@ By default, it obtains certificates for:
- `matrix.<your-domain>` (`matrix_server_fqn_matrix`)
- possibly for `element.<your-domain>`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false`
- possibly for `riot.<your-domain>`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`
- possibly for `hydrogen.<your-domain>`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md).
- possibly for `cinny.<your-domain>`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md).
- possibly for `dimension.<your-domain>`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md).
- possibly for `goneb.<your-domain>`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md).
- possibly for `jitsi.<your-domain>`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md).
- possibly for `stats.<your-domain>`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md).
- possibly for `sygnal.<your-domain>`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md).
- possibly for `ntfy.<your-domain>`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md).
- possibly for your base domain (`<your-domain>`), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md)
If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too.
@ -95,3 +101,12 @@ For automated certificate renewal to work, each port `80` vhost for each domain
See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf`
Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
## Specify the SSL private key algorithm
If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this:
```yaml
matrix_ssl_lets_encrypt_key_type: ecdsa
```

24
docs/configuring-playbook.md
Unescape View File

@ -47,8 +47,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional)
- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional)
- [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced)
- [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional)
@ -69,11 +67,14 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional)
### Authentication and user-related
- [Setting up an ma1sd Identity Server](configuring-playbook-ma1sd.md) (optional)
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
- [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional)
@ -117,7 +118,9 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional)
- [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional)
- [Setting up matrix-hookshot](configuring-playbook-bridge-hookshot.md) - a bridge between Matrix and multiple project management services, such as [GitHub](https://github.com), [GitLab](https://about.gitlab.com) and [JIRA](https://www.atlassian.com/software/jira). (optional)
- [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) - often reported as broken; see **Go Skype Bridge** (below) as an alternative
- [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional)
@ -131,6 +134,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up MX Puppet Steam bridging](configuring-playbook-bridge-mx-puppet-steam.md) (optional)
- [Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md) (optional)
- [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
- [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional)
@ -142,13 +147,26 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional)
- [Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) - a bot to create and manage registration tokens to invite users (optional)
- [Setting up honoroit](configuring-playbook-bot-honoroit.md) - a helpdesk bot (optional)
- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional)
- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional)
- [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional)
### Backups
- [Setting up borg backup](configuring-playbook-backup-borg.md) - a full Matrix server backup solution, including the Postgres database (optional)
- [Setting up postgres backup](configuring-playbook-postgres-backup.md) - a Postgres-database backup solution (note: does not include other files) (optional)
### Other specialized services
- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
- [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional)

32
docs/configuring-well-known.md
Unescape View File

@ -46,7 +46,7 @@ If you decide to go this route, you don't need to read ahead in this document. W
If you're managing the base domain by yourself somehow, you'll need to set up serving of some `/.well-known/matrix/*` files from it via HTTPS.
To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host them.
To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server. The files are generated at `/matrix/static-files/.well-known/matrix/` and hosted at `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`, even though this is the wrong place to host them.
You have 3 options when it comes to installing the files on the base domain's server:
@ -98,16 +98,15 @@ server {
}
```
**For Apache**, it would be something like this:
**For Apache2**, it would be something like this:
```apache
<VirtualHost *:443>
ServerName DOMAIN
SSLProxyEngine on
<Location /.well-known/matrix>
ProxyPass "https://matrix.DOMAIN/.well-known/matrix"
</Location>
ProxyPass /.well-known/matrix https://matrix.DOMAIN/.well-known/matrix nocanon
ProxyPassReverse /.well-known/matrix https://matrix.DOMAIN/.well-known/matrix nocanon
# other configuration
</VirtualHost>
@ -116,8 +115,22 @@ server {
**For Caddy 2**, it would be something like this:
```caddy
reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
header_up Host {http.reverse_proxy.upstream.hostport}
DOMAIN.com {
@wellknown {
path /.well-known/matrix/*:x
}
handle @wellknown {
reverse_proxy https://matrix.DOMAIN.com {
header_up Host {http.reverse_proxy.upstream.hostport}
}
}
# Configration for the base domain goes here
# handle {
# header -Server
# encode zstd gzip
# reverse_proxy localhost:4020
# }
}
```
@ -155,6 +168,11 @@ backend matrix-backend
/.well-known/matrix/* https://matrix.DOMAIN/.well-known/matrix/:splat 200!
```
**For AWS CloudFront**
1. Add a custom origin with matrix.<your-domain> to your distribution
1. Add two behaviors, one for `.well-known/matrix/client` and one for `.well-known/matrix/server` and point them to your new origin.
Make sure to:
- **replace `DOMAIN`** in the server configuration with your actual domain name

6
docs/container-images.md
Unescape View File

@ -15,8 +15,6 @@ These services are enabled and used by default, but you can turn them off, if yo
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)
- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional)
- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional)
@ -30,6 +28,8 @@ These services are enabled and used by default, but you can turn them off, if yo
These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later):
- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)
- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional)
- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional)
@ -109,3 +109,5 @@ These services are not part of our default installation, but can be enabled by [
- [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards)
- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix
- [binwiederhier/ntfy](https://hub.docker.com/r/binwiederhier/ntfy/) - [ntfy](https://ntfy.sh/) is a self-hosted, UnifiedPush-compatible push notifications server

4
docs/faq.md
Unescape View File

@ -55,7 +55,7 @@ There are 3 ways to get into Martix, depending on your technical ability and nee
- **using the existing default server** - the easiest way is to use an existing server. The largest public Matrix server is `matrix.org` and it's configured as a default server in clients such as [Element](https://element.io) and many others. Just use Element on the browser via that link (or download the Element app on a smartphone), create an account and start chatting.
- **using some other server** - instead of using the largest public server (`matrix.org`), you can use another public one. Here's a [list of public Matrix servers](https://publiclist.anchel.nl/) to choose from. Again, you download [Element](https://element.io) or [some other client](https://matrix.org/clients/) of your choosing and adjust the homeserver URL during login.
- **using some other server** - instead of using the largest public server (`matrix.org`), you can use another public one. Here's a [list of public Matrix servers](https://joinmatrix.org/servers/) to choose from. Again, you download [Element](https://element.io) or [some other client](https://matrix.org/clients/) of your choosing and adjust the homeserver URL during login.
- **using your own server** - running your own server puts you in ultimate control of your data. It also lets you have your own user identifiers (e.g. `@bob:your-domain.com`). See [How do I set up my own Matrix server](#how-do-i-set-up-my-own-matrix-server).
@ -226,7 +226,7 @@ Using a separate domain name is easier to manage (although it's a little hard to
We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method.
If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain).
If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain)
### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do?

2
docs/prerequisites.md
Unescape View File

@ -20,6 +20,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components.
- An HTTPS-capable web server at the base domain name (`<your-domain>`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).
- Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).

2
docs/self-building.md
Unescape View File

@ -22,6 +22,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-dimension`
- `matrix-ma1sd`
- `matrix-mailer`
- `matrix-bridge-hookshot`
- `matrix-bridge-appservice-irc`
- `matrix-bridge-appservice-slack`
- `matrix-bridge-appservice-webhooks`
@ -33,6 +34,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-bridge-mautrix-signal`
- `matrix-bridge-mautrix-whatsapp`
- `matrix-bridge-mx-puppet-skype`
- `matrix-bridge-mx-puppet-steam`
- `matrix-bot-mjolnir`
- `matrix-bot-honoroit`
- `matrix-bot-matrix-reminder-bot`

18
examples/caddy2/Caddyfile
Unescape View File

@ -214,3 +214,21 @@ element.DOMAIN.tld {
# }
# }
#}
#DOMAIN.com {
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
# @wellknown {
# path /.well-known/matrix/*
# }
#
# handle @wellknown {
# reverse_proxy https://matrix.DOMAIN.com {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
# }
# # Configration for the base domain goes here
# # handle {
# # header -Server
# # encode zstd gzip
# # reverse_proxy localhost:4020
# # }
#}

3
examples/haproxy/docker-compose.yml
Unescape View File

@ -1,7 +1,8 @@
---
version: '3'
services:
nginx:
image: local/nginx
image: local/nginx
ports:
- 40888:80
volumes:

1
examples/vars.yml
Unescape View File

@ -1,3 +1,4 @@
---
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#

371
group_vars/matrix_servers
Unescape View File

@ -9,8 +9,6 @@
# You can also override ANY variable (seen here or in any given role),
# by re-defining it in your own configuration file (`inventory/host_vars/matrix.<your-domain>`).
matrix_container_global_registry_prefix: "docker.io/"
######################################################################
#
# matrix-base
@ -47,27 +45,6 @@ matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if m
######################################################################
######################################################################
#
# matrix-awx
#
######################################################################
# We don't enable AWX support by default.
matrix_awx_enabled: false
matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}"
matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}"
matrix_nginx_proxy_data_path_extension: "{{ '' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/matrix-domain' }}"
matrix_nginx_proxy_base_domain_create_directory: "{{ not matrix_awx_enabled }}"
######################################################################
#
# /matrix-awx
#
######################################################################
######################################################################
#
# matrix-bridge-appservice-discord
@ -275,6 +252,44 @@ matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_ge
#
######################################################################
######################################################################
#
# matrix-bridge-go-skype-bridge
#
######################################################################
# We don't enable bridges by default.
matrix_go_skype_bridge_enabled: false
matrix_go_skype_bridge_container_image_self_build: true
matrix_go_skype_bridge_systemd_required_services_list: |
{{
['docker.service']
+
['matrix-' + matrix_homeserver_implementation + '.service']
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_go_skype_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.token') | to_uuid }}"
matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.token') | to_uuid }}"
matrix_go_skype_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
matrix_go_skype_bridge_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db') | to_uuid }}"
######################################################################
#
# /matrix-bridge-go-skype-bridge
#
######################################################################
######################################################################
#
# matrix-bridge-mautrix-facebook
@ -301,6 +316,10 @@ matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_ge
matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook') | to_uuid }}"
matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}"
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
@ -477,7 +496,7 @@ matrix_mautrix_signal_database_engine: 'postgres'
matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}"
matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
######################################################################
#
@ -552,16 +571,14 @@ matrix_mautrix_twitter_systemd_required_services_list: |
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_twitter_appservice_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}"
matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token') | to_uuid }}"
matrix_mautrix_twitter_homeserver_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}"
matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token') | to_uuid }}"
matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
# and point them to a migration path.
matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}"
matrix_mautrix_twitter_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}"
matrix_mautrix_twitter_database_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}"
matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db') | to_uuid if matrix_postgres_enabled else '' }}"
######################################################################
#
@ -662,6 +679,56 @@ matrix_heisenbridge_systemd_wanted_services_list: |
#
######################################################################
######################################################################
#
# matrix-bridge-hookshot
#
######################################################################
# We don't enable bridges by default.
matrix_hookshot_enabled: false
matrix_hookshot_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok') | to_uuid }}"
matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok') | to_uuid }}"
matrix_hookshot_systemd_wanted_services_list: |
{{
(['matrix-' + matrix_homeserver_implementation + '.service'])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_hookshot_container_http_host_bind_ports_defaultmapping:
- "127.0.0.1:{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}"
- "127.0.0.1:{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}"
- "127.0.0.1:{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}"
- "127.0.0.1:{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}"
matrix_hookshot_container_http_host_bind_ports: "{{ [] if matrix_nginx_proxy_enabled else matrix_hookshot_container_http_host_bind_ports_defaultmapping }}"
matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}"
# We only enable metrics (locally, in the container network) for the bridge if Prometheus is enabled.
#
# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
# - `matrix_hookshot_metrics_enabled`
# - `matrix_hookshot_metrics_proxying_enabled`
# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}"
matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}"
matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}"
matrix_hookshot_urlprefix: "http{{ 's' if matrix_nginx_proxy_https_enabled else '' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}"
######################################################################
#
# /matrix-bridge-hookshot
#
######################################################################
######################################################################
#
# matrix-bridge-mx-puppet-skype
@ -671,7 +738,7 @@ matrix_heisenbridge_systemd_wanted_services_list: |
# We don't enable bridges by default.
matrix_mx_puppet_skype_enabled: false
matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_skype_systemd_required_services_list: |
{{
@ -710,7 +777,7 @@ matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_homeserver_ge
# We don't enable bridges by default.
matrix_mx_puppet_slack_enabled: false
matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_slack_systemd_required_services_list: |
{{
@ -748,7 +815,7 @@ matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_ge
# We don't enable bridges by default.
matrix_mx_puppet_twitter_enabled: false
matrix_mx_puppet_twitter_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_twitter_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_twitter_systemd_required_services_list: |
{{
@ -789,7 +856,7 @@ matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_
# We don't enable bridges by default.
matrix_mx_puppet_instagram_enabled: false
matrix_mx_puppet_instagram_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_instagram_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_instagram_systemd_required_services_list: |
{{
@ -827,7 +894,7 @@ matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserve
# We don't enable bridges by default.
matrix_mx_puppet_discord_enabled: false
matrix_mx_puppet_discord_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_discord_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_discord_systemd_required_services_list: |
{{
@ -865,7 +932,7 @@ matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_
# We don't enable bridges by default.
matrix_mx_puppet_steam_enabled: false
matrix_mx_puppet_steam_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_steam_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_mx_puppet_steam_systemd_required_services_list: |
{{
@ -903,7 +970,7 @@ matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_ge
# We don't enable bridges by default.
matrix_mx_puppet_groupme_enabled: false
matrix_mx_puppet_groupme_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mx_puppet_groupme_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_mx_puppet_groupme_systemd_required_services_list: |
{{
@ -963,6 +1030,35 @@ matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architectu
#
######################################################################
######################################################################
#
# matrix-bot-matrix-registration-bot
#
######################################################################
# We don't enable bots by default.
matrix_bot_matrix_registration_bot_enabled: false
matrix_bot_matrix_registration_bot_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
matrix_bot_matrix_registration_bot_systemd_required_services_list: |
{{
['docker.service']
+
['matrix-' + matrix_homeserver_implementation + '.service']
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
######################################################################
#
# /matrix-bot-matrix-registration-bot
#
######################################################################
######################################################################
#
# matrix-bot-honoroit
@ -994,6 +1090,37 @@ matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in [
#
######################################################################
######################################################################
#
# matrix-bot-buscarron
#
######################################################################
# We don't enable bots by default.
matrix_bot_buscarron_enabled: false
matrix_bot_buscarron_systemd_required_services_list: |
{{
['docker.service']
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
matrix_bot_buscarron_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db') | to_uuid }}"
matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
######################################################################
#
# /matrix-bot-buscarron
#
######################################################################
######################################################################
#
@ -1031,7 +1158,7 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en
# We don't enable bots by default.
matrix_bot_mjolnir_enabled: false
matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_bot_mjolnir_systemd_required_services_list: |
{{
@ -1050,6 +1177,47 @@ matrix_bot_mjolnir_systemd_required_services_list: |
#
######################################################################
######################################################################
#
# matrix-backup-borg
#
######################################################################
matrix_backup_borg_enabled: false
matrix_backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
matrix_backup_borg_postgresql_enabled: "{{ matrix_postgres_enabled }}"
matrix_backup_borg_postgresql_databases_hostname: "{{ matrix_postgres_connection_hostname }}"
matrix_backup_borg_postgresql_databases_username: "{{ matrix_postgres_connection_username }}"
matrix_backup_borg_postgresql_databases_password: "{{ matrix_postgres_connection_password }}"
matrix_backup_borg_postgresql_databases_port: "{{ matrix_postgres_connection_port }}"
matrix_backup_borg_postgresql_databases: |
{{
(([{
'name': matrix_synapse_database_database
}] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
+
matrix_postgres_additional_databases)|map(attribute='name')|list
}}
matrix_backup_borg_location_source_directories:
- "{{ matrix_base_data_path }}"
matrix_backup_borg_location_exclude_patterns: |
{{
([matrix_synapse_media_store_path + '/local_thumbnails', matrix_synapse_media_store_path + '/remote_thumbnail', matrix_synapse_media_store_path + '/url_cache', matrix_synapse_media_store_path + '/url_cache_thumbnails'] if matrix_homeserver_implementation == 'synapse' else [])
+
([matrix_postgres_data_path] if matrix_postgres_enabled else [])
}}
matrix_backup_borg_systemd_required_services_list: |
{{
['docker.service']
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
}}
######################################################################
#
# /matrix-backup-borg
#
######################################################################
######################################################################
#
@ -1059,7 +1227,7 @@ matrix_bot_mjolnir_systemd_required_services_list: |
matrix_corporal_enabled: false
matrix_corporal_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
@ -1089,8 +1257,6 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
#
######################################################################
######################################################################
#
# matrix-coturn
@ -1099,7 +1265,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
matrix_coturn_enabled: true
matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
@ -1125,8 +1291,6 @@ matrix_coturn_container_additional_volumes: |
#
######################################################################
######################################################################
#
# matrix-dimension
@ -1204,8 +1368,6 @@ matrix_dynamic_dns_enabled: false
#
######################################################################
######################################################################
#
# matrix-email2matrix
@ -1214,7 +1376,7 @@ matrix_dynamic_dns_enabled: false
matrix_email2matrix_enabled: false
matrix_email2matrix_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_email2matrix_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
######################################################################
#
@ -1222,8 +1384,6 @@ matrix_email2matrix_container_image_self_build: "{{ matrix_architecture != 'amd6
#
######################################################################
######################################################################
#
# matrix-jitsi
@ -1268,8 +1428,6 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab
#
######################################################################
######################################################################
#
# matrix-mailer
@ -1281,7 +1439,7 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab
# Other services (like ma1sd), also use the mailer.
matrix_mailer_enabled: true
matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
matrix_mailer_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
######################################################################
#
@ -1289,17 +1447,22 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
#
######################################################################
######################################################################
#
# matrix-ma1sd
#
######################################################################
# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
matrix_ma1sd_enabled: true
# We no longer install the ma1sd identity server by default.
#
# The main reason we used to install ma1sd by default in the past was to
# prevent Element from talking to the `matrix.org` / `vector.im` identity servers,
# by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead,
# thus preventing contact list leaks.
#
# Since Element no longer defaults to using a public identity server if another one is not provided,
# we can stop installing ma1sd.
matrix_ma1sd_enabled: false
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
@ -1354,8 +1517,6 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr
#
######################################################################
######################################################################
#
# matrix-nginx-proxy
@ -1377,7 +1538,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |-
}[matrix_homeserver_implementation]|int
}}
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled or matrix_bot_matrix_registration_bot_enabled }}"
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}"
@ -1385,11 +1546,13 @@ matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -1416,7 +1579,7 @@ matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}"
matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}"
@ -1429,13 +1592,6 @@ matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_po
matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}"
# This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore.
# The fact that someone wishes to enable Synapse metrics does not necessarily mean they want to make them public.
# A local Prometheus can consume them over the container network.
matrix_nginx_proxy_proxy_synapse_metrics: false
matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
@ -1457,8 +1613,6 @@ matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers
matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}"
matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}"
matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}"
matrix_nginx_proxy_systemd_wanted_services_list: |
{{
['matrix-' + matrix_homeserver_implementation + '.service']
@ -1469,6 +1623,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
+
(['matrix-client-cinny.service'] if matrix_client_cinny_enabled else [])
+
(['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else [])
+
(['matrix-client-element.service'] if matrix_client_element_enabled else [])
+
(['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else [])
@ -1479,11 +1635,15 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
+
(['matrix-sygnal.service'] if matrix_sygnal_enabled else [])
+
(['matrix-ntfy.service'] if matrix_ntfy_enabled else [])
+
(['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
+
(['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
+
(['matrix-etherpad.service'] if matrix_etherpad_enabled and matrix_dimension_enabled else [])
+
(['matrix-hookshot.service'] if matrix_hookshot_enabled else [])
}}
matrix_ssl_domains_to_obtain_certificates_for: |
@ -1498,6 +1658,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+
([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else [])
+
([matrix_server_fqn_buscarron] if matrix_bot_buscarron_enabled else [])
+
([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
+
([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
@ -1508,6 +1670,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+
([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
+
([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else [])
+
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
+
matrix_ssl_additional_domains_to_obtain_certificates_for
@ -1529,8 +1693,6 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr
#
######################################################################
######################################################################
#
# matrix-postgres
@ -1556,15 +1718,11 @@ matrix_postgres_additional_databases: |
}] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
+
([{
'name': matrix_dendrite_naffka_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_appservice_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_federationsender_database,
'name': matrix_dendrite_federationapi_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
@ -1579,20 +1737,16 @@ matrix_postgres_additional_databases: |
'name': matrix_dendrite_room_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_singingkeyserver_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_syncapi_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_account_database,
'name': matrix_dendrite_userapi_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
'name': matrix_dendrite_device_database,
'name': matrix_dendrite_pushserver_database,
'username': matrix_dendrite_database_user,
'password': matrix_dendrite_database_password,
},{
@ -1619,6 +1773,12 @@ matrix_postgres_additional_databases: |
'password': matrix_bot_honoroit_database_password,
}] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else [])
+
([{
'name': matrix_bot_buscarron_database_name,
'username': matrix_bot_buscarron_database_username,
'password': matrix_bot_buscarron_database_password,
}] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == 'matrix-postgres') else [])
+
([{
'name': matrix_registration_database_name,
'username': matrix_registration_database_username,
@ -1649,6 +1809,12 @@ matrix_postgres_additional_databases: |
'password': matrix_beeper_linkedin_database_password,
}] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == 'matrix-postgres') else [])
+
([{
'name': matrix_go_skype_bridge_database_name,
'username': matrix_go_skype_bridge_database_username,
'password': matrix_go_skype_bridge_database_password,
}] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == 'matrix-postgres') else [])
+
([{
'name': matrix_mautrix_facebook_database_name,
'username': matrix_mautrix_facebook_database_username,
@ -1779,8 +1945,6 @@ matrix_postgres_import_databases_to_ignore: |
#
######################################################################
######################################################################
#
# matrix-sygnal
@ -1801,7 +1965,19 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable
#
######################################################################
######################################################################
#
# matrix-ntfy
#
######################################################################
matrix_ntfy_enabled: false
######################################################################
#
# /matrix-ntfy
#
######################################################################
######################################################################
#
@ -1817,8 +1993,6 @@ matrix_redis_enabled: "{{ matrix_synapse_workers_enabled }}"
#
######################################################################
######################################################################
#
# matrix-client-element
@ -1866,8 +2040,6 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
#
######################################################################
######################################################################
#
# matrix-client-hydrogen
@ -1891,8 +2063,6 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl
#
######################################################################
######################################################################
#
# matrix-client-cinny
@ -1918,8 +2088,6 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_re
#
######################################################################
######################################################################
#
# matrix-synapse
@ -2030,8 +2198,6 @@ matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_re
#
######################################################################
######################################################################
#
# matrix-synapse-admin
@ -2045,7 +2211,7 @@ matrix_synapse_admin_enabled: false
# Synapse Admin's HTTP port to the local host.
matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}"
matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
######################################################################
#
@ -2053,8 +2219,6 @@ matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd
#
######################################################################
######################################################################
#
# matrix-prometheus-node-exporter
@ -2069,8 +2233,6 @@ matrix_prometheus_node_exporter_enabled: false
#
######################################################################
######################################################################
#
# matrix-prometheus
@ -2095,6 +2257,8 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91
matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}"
matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}"
matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled|default(false) }}"
matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url|string +':'+ matrix_hookshot_metrics_port|string] if matrix_hookshot_metrics_enabled else [] }}"
######################################################################
#
@ -2102,7 +2266,6 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp
#
######################################################################
######################################################################
#
# matrix-prometheus-postgres-exporter
@ -2158,8 +2321,6 @@ matrix_grafana_systemd_wanted_services_list: |
#
######################################################################
######################################################################
#
# matrix-registration
@ -2255,9 +2416,9 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_
matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}"
matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}"
matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss') | to_uuid }}"
matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}"
matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db') | to_uuid }}"
# Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway.

2
roles/matrix-aux/tasks/main.yml
Unescape View File

@ -1,3 +1,5 @@
---
- import_tasks: "{{ role_path }}/tasks/setup.yml"
when: run_stop|bool
tags:

6
roles/matrix-awx/defaults/main.yml
Unescape View File

@ -1,6 +0,0 @@
matrix_awx_enabled: true
# Defaults for 'Customise Website + Access Export' template
awx_sftp_auth_method: 'Disabled'
awx_sftp_password: ''
awx_sftp_public_key: ''

29
roles/matrix-awx/scripts/matrix_build_room_list.py
Unescape View File

@ -1,29 +0,0 @@
import sys
import requests
import json
janitor_token = sys.argv[1]
synapse_container_ip = sys.argv[2]
synapse_container_port = sys.argv[3]
# collect total amount of rooms
rooms_raw_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms'
rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token}
rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header)
rooms_raw_python = json.loads(rooms_raw.text)
total_rooms = rooms_raw_python["total_rooms"]
# build complete room list file
room_list_file = open("/tmp/room_list_complete.json", "w")
for i in range(0, total_rooms, 100):
rooms_inc_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms?from=' + str(i)
rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header)
room_list_file.write(rooms_inc.text)
room_list_file.close()
print(total_rooms)

42
roles/matrix-awx/surveys/access_export.json.j2
Unescape View File

@ -1,42 +0,0 @@
{
"name": "Access Export",
"description": "Access the services export.",
"spec": [
{
"question_name": "SFTP Authorisation Method",
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
"required": true,
"min": null,
"max": null,
"default": "{{ awx_sftp_auth_method | string }}",
"choices": "Disabled\nPassword\nSSH Key",
"new_question": true,
"variable": "awx_sftp_auth_method",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ awx_sftp_password }}",
"choices": "",
"new_question": true,
"variable": "awx_sftp_password",
"type": "password"
},
{
"question_name": "SFTP Public SSH Key (More Secure)",
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
"required": false,
"min": 0,
"max": 16384,
"default": "{{ awx_sftp_public_key }}",
"choices": "",
"new_question": true,
"variable": "awx_sftp_public_key",
"type": "text"
}
]
}

18
roles/matrix-awx/surveys/backup_server.json.j2
Unescape View File

@ -1,18 +0,0 @@
{
"name": "Backup Server",
"description": "Performs a backup of the entire service to a remote location.",
"spec": [
{
"question_name": "Enable Backup",
"question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.",
"required": false,
"min": null,
"max": null,
"default": "{{ awx_backup_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "awx_backup_enabled",
"type": "multiplechoice"
}
]
}

66
roles/matrix-awx/surveys/bridge_discord_appservice.json.j2
Unescape View File

@ -1,66 +0,0 @@
{
"name": "Bridge Discord Appservice",
"description": "Enables a private bridge you can use to connect Matrix rooms to Discord.",
"spec": [
{
"question_name": "Enable Discord AppService Bridge",
"question_description": "Enables a private bridge you can use to connect Matrix rooms to Discord.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_appservice_discord_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_appservice_discord_enabled",
"type": "multiplechoice"
},
{
"question_name": "Discord OAuth2 Client ID",
"question_description": "The OAuth2 'CLIENT ID' which can be found in the 'OAuth2' tab of your new discord application: https://discord.com/developers/applications",
"required": true,
"min": 0,
"max": 128,
"default": "{{ matrix_appservice_discord_client_id | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_appservice_discord_client_id",
"type": "text"
},
{
"question_name": "Discord Bot Token",
"question_description": "The Bot 'TOKEN' which can be found in the 'Bot' tab of your new discord application: https://discord.com/developers/applications",
"required": true,
"min": 0,
"max": 256,
"default": "{{ matrix_appservice_discord_bot_token | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_appservice_discord_bot_token",
"type": "password"
},
{
"question_name": "Auto-Admin Matrix User",
"question_description": "The username you would like to be automatically joined and promoted to administrator (PL100) in bridged rooms. Exclude the '@' and server name postfix. So to create @stevo:example.org just enter 'stevo'.",
"required": false,
"min": 0,
"max": 1024,
"default": "",
"choices": "",
"new_question": true,
"variable": "awx_appservice_discord_admin_user",
"type": "text"
},
{
"question_name": "Auto-Admin Rooms",
"question_description": "A list of rooms you want the user to be automatically joined and promoted to administrator (PL100) in. These should be the internal IDs (for example '!axfBUsKhfAjSMBdjKX:example.org') separated by newlines.",
"required": false,
"min": 0,
"max": 4096,
"default": "",
"choices": "",
"new_question": true,
"variable": "awx_appservice_discord_admin_rooms",
"type": "textarea"
}
]
}

88
roles/matrix-awx/surveys/configure_corporal.json.j2
Unescape View File

@ -1,88 +0,0 @@
{
"name": "Configure Matrix Corporal",
"description": "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy.",
"spec": [
{
"question_name": "Enable Corporal",
"question_description": "Controls if Matrix Corporal is enabled at all. If you're unsure if you need Matrix Corporal or not, you most likely don't.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_corporal_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_corporal_enabled",
"type": "multiplechoice"
},
{
"question_name": "Corporal Policy Provider",
"question_description": "Controls what provider policy is used with Matrix Corporal.",
"required": true,
"min": null,
"max": null,
"default": "{{ awx_corporal_policy_provider_mode }}",
"choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)",
"new_question": true,
"variable": "awx_corporal_policy_provider_mode",
"type": "multiplechoice"
},
{
"question_name": "Simple Static File Configuration",
"question_description": "The configuration file for Matrix Corporal, only needed if 'Simple Static File' provider is selected, any configuration entered here will be saved and applied.",
"required": false,
"min": 0,
"max": 65536,
"default": "",
"new_question": true,
"variable": "awx_corporal_simple_static_config",
"type": "textarea"
},
{
"question_name": "HTTP Pull Mode URI",
"question_description": "The network address to remotely fetch the configuration from. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected.",
"required": false,
"min": 0,
"max": 4096,
"default": "{{ awx_corporal_pull_mode_uri }}",
"new_question": true,
"variable": "awx_corporal_pull_mode_uri",
"type": "text"
},
{
"question_name": "HTTP Pull Mode Authentication Token",
"question_description": "An authentication token for pulling the Corporal configuration from a network location. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "{{ awx_corporal_pull_mode_token }}",
"choices": "",
"new_question": true,
"variable": "awx_corporal_pull_mode_token",
"type": "password"
},
{
"question_name": "Corporal API Authentication Token",
"question_description": "An authentication token for interfacing with Corporals API. Only needed to be set if 'HTTP Pull Mode (API Enabled)' or 'HTTP Push Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "{{ matrix_corporal_http_api_auth_token }}",
"choices": "",
"new_question": true,
"variable": "matrix_corporal_http_api_auth_token",
"type": "password"
},
{
"question_name": "Raise Synapse Ratelimits",
"question_description": "For Matrix Corporal to work you will need to temporarily raise the rate limits for logins, please return this value to 'Normal' after you're done using Corporal.",
"required": false,
"min": null,
"max": null,
"default": "{{ awx_corporal_raise_ratelimits }}",
"choices": "Normal\nRaised",
"new_question": true,
"variable": "awx_corporal_raise_ratelimits",
"type": "multiplechoice"
}
]
}

30
roles/matrix-awx/surveys/configure_dimension.json.j2
Unescape View File

@ -1,30 +0,0 @@
{
"name": "Configure Dimension",
"description": "Configure Dimension, the self-hosted integrations server.",
"spec": [
{
"question_name": "Enable Dimension",
"question_description": "Enables the Dimension integration server, before doing this you need to create a CNAME record for 'dimension.{{ matrix_domain }}' that points to 'matrix.{{ matrix_domain }}'.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_dimension_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_dimension_enabled",
"type": "multiplechoice"
},
{
"question_name": "Dimension Users",
"question_description": "Here you can list the user accounts that will be able to configure Dimension. Entries must be seperated with newlines and must be a complete Matrix ID. For example: '@dimension:{{ matrix_domain }}'",
"required": false,
"min": 0,
"max": 65536,
"default": {{ awx_dimension_users_final | to_json }},
"choices": "",
"new_question": true,
"variable": "awx_dimension_users",
"type": "textarea"
}
]
}

114
roles/matrix-awx/surveys/configure_element.json.j2
Unescape View File

@ -1,114 +0,0 @@
{
"name": "Configure Element",
"description": "Configure Element web client, Element is the most developed Matrix client software.",
"spec": [
{
"question_name": "Enable Element-Web",
"question_description": "Set if Element web client is enabled or not.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_client_element_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_client_element_enabled",
"type": "multiplechoice"
},
{
"question_name": "Set Theme for Web Client",
"question_description": "Sets the default theme for the web client, can be changed later by individual users.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_client_element_default_theme }}",
"choices": "light\ndark",
"new_question": true,
"variable": "matrix_client_element_default_theme",
"type": "multiplechoice"
},
{
"question_name": "Set Branding for Web Client",
"question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.Leaving this field blank will cause the default branding will be used: 'Element'",
"required": false,
"min": 0,
"max": 256,
"default": "{{ matrix_client_element_brand | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_brand",
"type": "text"
},
{
"question_name": "Set Welcome Page Background",
"question_description": "Sets the background image on the welcome page, you should enter a URL to the image you want to use. Must be a 'https' link, otherwise it won't be set. Leaving this field blank will cause the default background to be used.",
"required": false,
"min": 0,
"max": 1024,
"default": "{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_branding_welcomeBackgroundUrl",
"type": "text"
},
{
"question_name": "Set Welcome Page Logo",
"question_description": "Sets the logo found on the welcome and login page, must be a valid https link to your logo, the logo itself should be a square vector image (SVG). Leaving this field blank will cause the default Element logo to be used.",
"required": false,
"min": 0,
"max": 1024,
"default": "{{ matrix_client_element_welcome_logo | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_welcome_logo",
"type": "text"
},
{
"question_name": "Set Welcome Page Logo URL",
"question_description": "Sets the URL link the welcome page logo leads to, must be a valid https link. Leaving this field blank will cause this default link to be used: 'https://element.io'",
"required": false,
"min": 0,
"max": 1024,
"default": "{{ matrix_client_element_welcome_logo_link | trim }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_welcome_logo_link",
"type": "text"
},
{
"question_name": "Set Welcome Page Headline",
"question_description": "Sets the headline seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Welcome to Element!'",
"required": false,
"min": 0,
"max": 512,
"default": "{{ awx_matrix_client_element_welcome_headline | trim }}",
"choices": "",
"new_question": true,
"variable": "awx_matrix_client_element_welcome_headline",
"type": "text"
},
{
"question_name": "Set Welcome Page Text",
"question_description": "Sets the text seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Decentralised, encrypted chat & collaboration powered by [Matrix]'",
"required": false,
"min": 0,
"max": 2048,
"default": "{{ awx_matrix_client_element_welcome_text | trim }}",
"choices": "",
"new_question": true,
"variable": "awx_matrix_client_element_welcome_text",
"type": "text"
},
{
"question_name": "Show Registration Button",
"question_description": "If you show the registration button on the welcome page.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_client_element_registration_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_client_element_registration_enabled",
"type": "multiplechoice"
}
]
}

18
roles/matrix-awx/surveys/configure_element_subdomain.json.j2
Unescape View File

@ -1,18 +0,0 @@
{
"name": "Configure Element Subdomain",
"description": "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)",
"spec": [
{
"question_name": "Set Element Subdomain",
"question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.",
"required": false,
"min": 0,
"max": 2048,
"default": "{{ awx_element_subdomain }}",
"choices": "",
"new_question": true,
"variable": "awx_element_subdomain",
"type": "text"
}
]
}

19
roles/matrix-awx/surveys/configure_email_relay.json.j2
Unescape View File

@ -1,19 +0,0 @@
{
"name": "Configure Email Relay",
"description": "Enable MailGun relay to increase verification email reliability.",
"spec": [
{
"question_name": "Enable Email Relay",
"question_description": "Enables the MailGun email relay server, enabling this will increase the reliability of your email verification.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_mailer_relay_use | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_mailer_relay_use",
"type": "multiplechoice"
}
]
}

31
roles/matrix-awx/surveys/configure_jitsi.json.j2
Unescape View File

@ -1,31 +0,0 @@
{
"name": "Configure Jitsi",
"description": "Configure Jitsi conferencing settings.",
"spec": [
{
"question_name": "Enable Jitsi",
"question_description": "Set if Jitsi is enabled or not. If disabled your server will use the https://jitsi.riot.im server. If you're on a smaller server disabling this might increase the performance of your Matrix service.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_jitsi_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_jitsi_enabled",
"type": "multiplechoice"
},
{
"question_name": "Set Default Language",
"question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes",
"required": false,
"min": 0,
"max": 2,
"default": "{{ matrix_jitsi_web_config_defaultLanguage }}",
"choices": "",
"new_question": true,
"variable": "matrix_jitsi_web_config_defaultLanguage",
"type": "text"
}
]
}

41
roles/matrix-awx/surveys/configure_ma1sd.json.j2
Unescape View File

@ -1,41 +0,0 @@
{
"name": "Configure ma1sd",
"description": "Configure ma1sd settings, ma1sd is a self-hosted identity server for Matrix.",
"spec": [
{
"question_name": "Enable ma1sd",
"question_description": "Set if ma1sd is enabled or not. If disabled your server will loose identity functionality (not recommended).",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_ma1sd_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_ma1sd_enabled",
"type": "multiplechoice"
},
{
"question_name": "ma1sd Authentication Mode",
"question_description": "Set the source of user account authentication credentials with the ma1sd.",
"required": false,
"min": null,
"max": null,
"default": "{{ awx_matrix_ma1sd_auth_store }}",
"choices": "Synapse Internal\nLDAP/AD",
"new_question": true,
"variable": "awx_matrix_ma1sd_auth_store",
"type": "multiplechoice"
},
{
"question_name": "LDAP/AD Configuration",
"question_description": "Settings for connecting LDAP/AD to the ma1sd service. (ignored if using Synapse Internal, see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md )",
"required": false,
"min": 0,
"max": 65536,
"default": {{ awx_matrix_ma1sd_configuration_extension_yaml | to_json }},
"new_question": true,
"variable": "awx_matrix_ma1sd_configuration_extension_yaml",
"type": "textarea"
}
]
}

198
roles/matrix-awx/surveys/configure_synapse.json.j2
Unescape View File

@ -1,198 +0,0 @@
{
"name": "Configure Synapse",
"description": "Configure Synapse settings. Synapse is the homeserver software that powers your Matrix instance.",
"spec": [
{
"question_name": "Enable Public Registration",
"question_description": "Controls whether people with access to the homeserver can register by themselves.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_enable_registration | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_enable_registration",
"type": "multiplechoice"
},
{
"question_name": "Enable Federation",
"question_description": "Controls whether Synapse will federate at all. Disable this to completely isolate your server from the rest of the Matrix network.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_federation_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_federation_enabled",
"type": "multiplechoice"
},
{
"question_name": "Allow Public Rooms Over Federation",
"question_description": "Controls whether remote servers can fetch this server's public rooms directory via federation. For private servers, you'll most likely want to forbid this.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_allow_public_rooms_over_federation | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_allow_public_rooms_over_federation",
"type": "multiplechoice"
},
{
"question_name": "Enable Community Creation",
"question_description": "Allows regular users (who aren't server admins) to create 'communities', which are basically groups of rooms.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_enable_group_creation | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_enable_group_creation",
"type": "multiplechoice"
},
{
"question_name": "Enable Synapse Presence",
"question_description": "Controls whether presence is enabled. This shows who's online and reading your posts. Disabling it will increase both performance and user privacy.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_presence_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_presence_enabled",
"type": "multiplechoice"
},
{
"question_name": "Enable URL Previews",
"question_description": "Controls whether URL previews should be generated. This will cause a request from Synapse to URLs shared by users.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_url_preview_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_url_preview_enabled",
"type": "multiplechoice"
},
{
"question_name": "Enable Guest Access",
"question_description": "Controls whether 'guest accounts' can access rooms without registering. Guest users do not count towards your servers user limit.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_allow_guest_access | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_allow_guest_access",
"type": "multiplechoice"
},
{
"question_name": "Registration Requires Email",
"question_description": "Controls whether an email address is required to register on the server.",
"required": false,
"min": null,
"max": null,
"default": "{{ awx_registrations_require_3pid | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "awx_registrations_require_3pid",
"type": "multiplechoice"
},
{
"question_name": "Registration Shared Secret",
"question_description": "A secret that allows registration of standard or admin accounts by anyone who has the shared secret, even if registration is otherwise disabled. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "",
"choices": "",
"new_question": true,
"variable": "awx_matrix_synapse_registration_shared_secret",
"type": "password"
},
{
"question_name": "Synapse Max Upload Size",
"question_description": "Sets the maximum size for uploaded files in MB.",
"required": false,
"min": 0,
"max": 3,
"default": "{{ matrix_synapse_max_upload_size_mb }}",
"choices": "",
"new_question": true,
"variable": "awx_synapse_max_upload_size_mb",
"type": "text"
},
{
"question_name": "URL Preview Languages",
"question_description": "Sets the languages that URL previews will be generated in. Entries are a 2-3 letter IETF language tag, they must be seperated with newlines. For example: 'fr' https://en.wikipedia.org/wiki/IETF_language_tag",
"required": false,
"min": 0,
"max": 65536,
"default": {{ awx_url_preview_accept_language_default | to_json }},
"choices": "",
"new_question": true,
"variable": "awx_url_preview_accept_language",
"type": "textarea"
},
{
"question_name": "Federation Whitelist",
"question_description": "Here you can list the URLs of other Matrix homeservers and Synapse will only federate with those homeservers. Entries must be seperated with newlines and must not have a 'https://' prefix. For example: 'matrix.example.org'",
"required": false,
"min": 0,
"max": 65536,
"default": {{ awx_federation_whitelist | to_json }},
"choices": "",
"new_question": true,
"variable": "awx_federation_whitelist",
"type": "textarea"
},
{
"question_name": "Synapse Auto-Join Rooms",
"question_description": "Sets the 'auto-join' rooms, where new users will be automatically invited to, these rooms must already exist. Entries must be room addresses that are separated with newlines. For example: '#announcements:example.org'",
"required": false,
"min": 0,
"max": 65536,
"default": {{ awx_synapse_auto_join_rooms | to_json }},
"choices": "",
"new_question": true,
"variable": "awx_synapse_auto_join_rooms",
"type": "textarea"
},
{
"question_name": "Enable ReCaptcha on Registration",
"question_description": "Enables Googles ReCaptcha verification for registering an account, recommended for public servers.",
"required": false,
"min": null,
"max": null,
"default": "{{ awx_enable_registration_captcha | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "awx_enable_registration_captcha",
"type": "multiplechoice"
},
{
"question_name": "Recaptcha Public Key",
"question_description": "Sets the Google ReCaptcha public key for this website.",
"required": false,
"min": 0,
"max": 40,
"default": "{{ awx_recaptcha_public_key }}",
"choices": "",
"new_question": true,
"variable": "awx_recaptcha_public_key",
"type": "text"
},
{
"question_name": "Recaptcha Private Key",
"question_description": "Sets the Google ReCaptcha private key for this website.",
"required": false,
"min": 0,
"max": 40,
"default": "{{ awx_recaptcha_private_key }}",
"choices": "",
"new_question": true,
"variable": "awx_recaptcha_private_key",
"type": "text"
}
]
}

18
roles/matrix-awx/surveys/configure_synapse_admin.json.j2
Unescape View File

@ -1,18 +0,0 @@
{
"name": "Configure Synapse Admin",
"description": "Configure 'Synapse Admin', a moderation tool to help you manage your server.",
"spec": [
{
"question_name": "Enable Synapse Admin",
"question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://{{ matrix_server_fqn_matrix }}/synapse-admin.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_admin_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_admin_enabled",
"type": "multiplechoice"
}
]
}

54
roles/matrix-awx/surveys/configure_website_access_export.json.j2
Unescape View File

@ -1,54 +0,0 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ awx_customise_base_domain_website | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "awx_customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Authorisation Method",
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
"required": true,
"min": null,
"max": null,
"default": "{{ awx_sftp_auth_method | string }}",
"choices": "Disabled\nPassword\nSSH Key",
"new_question": true,
"variable": "awx_sftp_auth_method",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ awx_sftp_password }}",
"choices": "",
"new_question": true,
"variable": "awx_sftp_password",
"type": "password"
},
{
"question_name": "SFTP Public SSH Key (More Secure)",
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
"required": false,
"min": 0,
"max": 16384,
"default": "{{ awx_sftp_public_key }}",
"choices": "",
"new_question": true,
"variable": "awx_sftp_public_key",
"type": "text"
}
]
}

100
roles/matrix-awx/tasks/backup_server.yml
Unescape View File

@ -1,100 +0,0 @@
- name: Record Backup Server variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# AWX Settings Start'
with_dict:
'awx_backup_enabled': '{{ awx_backup_enabled }}'
tags: use-survey
- name: Save new 'Backup Server' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/backup_server.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
tags: use-survey
- name: Copy new 'Backup Server' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
dest: '/matrix/awx/backup_server.json'
mode: '0660'
tags: use-survey
- name: Recreate 'Backup Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Backup Server"
description: "Performs a backup of the entire service to a remote location."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "backup-server,use-survey"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
tags: use-survey
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
tags: use-survey
- name: Run initial backup of /matrix/ and snapshot the database simultaneously
command: "{{ item }}"
with_items:
- borgmatic -c /root/.config/borgmatic/config_1.yaml
- /bin/sh /usr/local/bin/awx-export-service.sh 1 0
register: _create_instances
async: 3600 # Maximum runtime in seconds.
poll: 0 # Fire and continue (never poll)
when: awx_backup_enabled|bool
- name: Wait for both of these jobs to finish
async_status:
jid: "{{ item.ansible_job_id }}"
register: _jobs
until: _jobs.finished
delay: 5 # Check every 5 seconds.
retries: 720 # Retry for a full hour.
with_items: "{{ _create_instances.results }}"
when: awx_backup_enabled|bool
- name: Perform borg backup of postgres dump
command: borgmatic -c /root/.config/borgmatic/config_2.yaml
when: awx_backup_enabled|bool
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
awx_end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: awx_end_playbook is defined and awx_end_playbook|bool

57
roles/matrix-awx/tasks/bridge_discord_appservice.yml
Unescape View File

@ -1,57 +0,0 @@
- name: Record Bridge Discord AppService variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Bridge Discord AppService Start'
with_dict:
'matrix_appservice_discord_enabled': '{{ matrix_appservice_discord_enabled }}'
'matrix_appservice_discord_client_id': '{{ matrix_appservice_discord_client_id }}'
'matrix_appservice_discord_bot_token': '{{ matrix_appservice_discord_bot_token }}'
- name: If the raw inputs is not empty start constructing parsed awx_appservice_discord_admin_rooms list
set_fact:
awx_appservice_discord_admin_rooms_array: |-
{{ awx_appservice_discord_admin_rooms.splitlines() | to_json }}
when: awx_appservice_discord_admin_rooms | trim | length > 0
- name: Promote user to administer (PL100) of each room
command: |
docker exec -i matrix-appservice-discord /bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "{{ item.1 }}" -u "@{{ awx_appservice_discord_admin_user }}:{{ matrix_domain }}" -p 100'
with_indexed_items:
- "{{ awx_appservice_discord_admin_rooms_array }}"
when: ( awx_appservice_discord_admin_rooms | trim | length > 0 ) and ( awx_appservice_discord_admin_user is defined )
- name: Save new 'Bridge Discord Appservice' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/bridge_discord_appservice.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//bridge_discord_appservice.json'
- name: Copy new 'Bridge Discord Appservice' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json'
dest: '/matrix/awx/bridge_discord_appservice.json'
mode: '0660'
- name: Recreate 'Bridge Discord Appservice' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 3 - Bridge Discord AppService"
description: "Enables a private bridge you can use to connect Matrix rooms to Discord."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-all,bridge-discord-appservice"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json') }}"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

12
roles/matrix-awx/tasks/cache_matrix_variables.yml
Unescape View File

@ -1,12 +0,0 @@
- name: Collect current datetime
set_fact:
awx_datetime: "{{ lookup('pipe', 'date +%Y-%m-%d_%H:%M') }}"
- name: Create cached matrix_vars.yml file location
set_fact:
awx_cached_matrix_vars: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars_{{ awx_datetime }}.yml'
- name: Create cached matrix_vars.yml
delegate_to: 127.0.0.1
shell: "cp /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml {{ awx_cached_matrix_vars }}"

10
roles/matrix-awx/tasks/create_session_token.yml
Unescape View File

@ -1,10 +0,0 @@
- name: Create a AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: present
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_master_token }}"
register: awx_session_token
no_log: True

40
roles/matrix-awx/tasks/create_user.yml
Unescape View File

@ -1,40 +0,0 @@
#
# Create user and define if they are admin
#
# /usr/local/bin/matrix-synapse-register-user <your_username> <your_password> <admin access: 0 or 1>
#
- name: Set admin bool to zero
set_fact:
awx_admin_bool: 0
when: awx_admin_access == 'false'
- name: Examine if server admin set
set_fact:
awx_admin_bool: 1
when: awx_admin_access == 'true'
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user {{ awx_new_username | quote }} {{ awx_new_password | quote }} {{ awx_admin_bool }}
register: awx_cmd_output
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
awx_end_playbook: true
- name: Result
debug: msg="{{ awx_cmd_output.stdout }}"
- name: End playbook if this task list is called.
meta: end_play
when: awx_end_playbook is defined and awx_end_playbook|bool

267
roles/matrix-awx/tasks/customise_website_access_export.yml
Unescape View File

@ -1,267 +0,0 @@
---
- name: Enable index.html creation if user doesn't wish to customise base domain
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Base Domain Settings Start'
with_dict:
'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
when: (awx_customise_base_domain_website is defined) and not awx_customise_base_domain_website|bool
- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Base Domain Settings Start'
with_dict:
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
when: (awx_customise_base_domain_website is defined) and awx_customise_base_domain_website|bool
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Custom Settings Start'
with_dict:
'awx_sftp_auth_method': '"{{ awx_sftp_auth_method }}"'
'awx_sftp_password': '"{{ awx_sftp_password }}"'
'awx_sftp_public_key': '"{{ awx_sftp_public_key }}"'
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Custom Settings Start'
with_dict:
'awx_customise_base_domain_website': '{{ awx_customise_base_domain_website }}'
when: awx_customise_base_domain_website is defined
- name: Reload vars in matrix_vars.yml
include_vars:
file: '{{ awx_cached_matrix_vars }}'
no_log: True
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
when: awx_customise_base_domain_website is defined
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest: '/matrix/awx/configure_website_access_export.json'
mode: '0660'
when: awx_customise_base_domain_website is defined
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: './roles/matrix-awx/surveys/access_export.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
when: awx_customise_base_domain_website is undefined
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
dest: '/matrix/awx/access_export.json'
mode: '0660'
when: awx_customise_base_domain_website is undefined
- name: Recreate 'Configure Website + Access Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description: "Configure base domain website settings and access the servers export."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-nginx-proxy"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: awx_customise_base_domain_website is defined
- name: Recreate 'Access Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Access Export"
description: "Access the services export."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-nginx-proxy"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: awx_customise_base_domain_website is undefined
- name: If user doesn't define a awx_sftp_password, create a disabled 'sftp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: matrix
password: '*'
update_password: always
when: awx_sftp_password|length == 0
- name: If user defines awx_sftp_password, enable account and set password on 'stfp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: matrix
password: "{{ awx_sftp_password | password_hash('sha512') }}"
update_password: always
when: awx_sftp_password|length > 0
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: adding existing user 'sftp' to group matrix
user:
name: sftp
groups: sftp
append: yes
when: awx_customise_base_domain_website is defined
- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
file:
path: /chroot
state: directory
owner: root
group: root
mode: '1755'
- name: Ensure /chroot/website location exists.
file:
path: /chroot/website
state: directory
owner: matrix
group: matrix
mode: '0770'
when: awx_customise_base_domain_website is defined
- name: Ensure /chroot/export location exists
file:
path: /chroot/export
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Ensure /home/sftp/.ssh location exists
file:
path: /home/sftp/.ssh
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Ensure /home/sftp/authorized_keys exists
file:
path: /home/sftp/.ssh/authorized_keys
state: touch
owner: sftp
group: sftp
mode: '0644'
- name: Clear authorized_keys file
shell: echo "" > /home/sftp/.ssh/authorized_keys
- name: Insert public SSH key into authorized_keys file
lineinfile:
path: /home/sftp/.ssh/authorized_keys
line: "{{ awx_sftp_public_key }}"
owner: sftp
group: sftp
mode: '0644'
when: (awx_sftp_public_key | length > 0) and (awx_sftp_auth_method == "SSH Key")
- name: Remove any existing Subsystem lines
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: '^Subsystem'
- name: Set SSH Subsystem State
lineinfile:
path: /etc/ssh/sshd_config
insertafter: "^# override default of no subsystems"
line: "Subsystem sftp internal-sftp"
- name: Add SSH Match User section for disabled auth
blockinfile:
path: /etc/ssh/sshd_config
state: absent
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: awx_sftp_auth_method == "Disabled"
- name: Add SSH Match User section for password auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when: awx_sftp_auth_method == "Password"
- name: Add SSH Match User section for publickey auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: awx_sftp_auth_method == "SSH Key"
- name: Restart service ssh.service
service:
name: ssh.service
state: restarted

10
roles/matrix-awx/tasks/delete_session_token.yml
Unescape View File

@ -1,10 +0,0 @@
---
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

43
roles/matrix-awx/tasks/export_server.yml
Unescape View File

@ -1,43 +0,0 @@
---
- name: Run export of /matrix/ and snapshot the database simultaneously
command: "{{ item }}"
with_items:
- /bin/sh /usr/local/bin/awx-export-service.sh 1 0
- /bin/sh /usr/local/bin/awx-export-service.sh 0 1
register: awx_create_instances
async: 3600 # Maximum runtime in seconds.
poll: 0 # Fire and continue (never poll)
- name: Wait for both of these jobs to finish
async_status:
jid: "{{ item.ansible_job_id }}"
register: awx_jobs
until: awx_jobs.finished
delay: 5 # Check every 5 seconds.
retries: 720 # Retry for a full hour.
with_items: "{{ awx_create_instances.results }}"
- name: Schedule deletion of the export in 24 hours
at:
command: rm /chroot/export/matrix*
count: 1
units: days
unique: yes
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
awx_end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: awx_end_playbook is defined and awx_end_playbook|bool

7
roles/matrix-awx/tasks/import_awx.yml
Unescape View File

@ -1,7 +0,0 @@
---
- name: Ensure correct ownership of /matrix/awx
shell: chown -R matrix:matrix /matrix/awx
- name: Ensure correct ownership of /matrix/synapse
shell: chown -R matrix:matrix /matrix/synapse

16
roles/matrix-awx/tasks/load_hosting_and_org_variables.yml
Unescape View File

@ -1,16 +0,0 @@
---
- name: Include vars in organisation.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml'
no_log: True
- name: Include vars in hosting_vars.yml
include_vars:
file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
no_log: True
- name: Include AWX master token from awx_tokens.yml
include_vars:
file: /var/lib/awx/projects/hosting/awx_tokens.yml
no_log: True

16
roles/matrix-awx/tasks/load_matrix_variables.yml
Unescape View File

@ -1,16 +0,0 @@
---
- name: Include new vars in matrix_vars.yml
include_vars:
file: '{{ awx_cached_matrix_vars }}'
no_log: True
- name: If include_vars succeeds overwrite the old matrix_vars.yml
delegate_to: 127.0.0.1
shell: "cp {{ awx_cached_matrix_vars }} /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml && rm {{ awx_cached_matrix_vars }}"
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'

225
roles/matrix-awx/tasks/main.yml
Unescape View File

@ -1,225 +0,0 @@
# Load initial hosting and organisation variables from AWX volume
- include_tasks:
file: "load_hosting_and_org_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Renames or updates the vars.yml if needed
- include_tasks:
file: "update_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Create AWX session token
- include_tasks:
file: "create_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Perform a backup of the server
- include_tasks:
file: "backup_server.yml"
apply:
tags: backup-server
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- backup-server
# Perform a export of the server
- include_tasks:
file: "export_server.yml"
apply:
tags: export-server
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- export-server
# Create a user account if called
- include_tasks:
file: "create_user.yml"
apply:
tags: create-user
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- create-user
# Purge local/remote media if called
- include_tasks:
file: "purge_media_main.yml"
apply:
tags: purge-media
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- purge-media
# Purge Synapse database if called
- include_tasks:
file: "purge_database_main.yml"
apply:
tags: purge-database
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- purge-database
# Rotate SSH key if called
- include_tasks:
file: "rotate_ssh.yml"
apply:
tags: rotate-ssh
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- rotate-ssh
# Import configs, media repo from /chroot/backup import
- include_tasks:
file: "import_awx.yml"
apply:
tags: import-awx
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- import-awx
# Perform extra self-check functions
- include_tasks:
file: "self_check.yml"
apply:
tags: self-check
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- self-check
# Create cached matrix_vars.yml file
- include_tasks:
file: "cache_matrix_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Configure SFTP so user can upload a static website or access the servers export
- include_tasks:
file: "customise_website_access_export.yml"
apply:
tags: setup-nginx-proxy
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-nginx-proxy
# Additional playbook to set the variable file during Element configuration
- include_tasks:
file: "set_variables_element.yml"
apply:
tags: setup-client-element
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-client-element
# Additional playbook to set the variable file during Mailer configuration
- include_tasks:
file: "set_variables_mailer.yml"
apply:
tags: setup-mailer
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-mailer
# Additional playbook to set the variable file during Element configuration
- include_tasks:
file: "set_variables_element_subdomain.yml"
apply:
tags: setup-client-element-subdomain
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-client-element-subdomain
# Additional playbook to set the variable file during Synapse configuration
- include_tasks:
file: "set_variables_synapse.yml"
apply:
tags: setup-synapse
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-synapse
# Additional playbook to set the variable file during Jitsi configuration
- include_tasks:
file: "set_variables_jitsi.yml"
apply:
tags: setup-jitsi
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-jitsi
# Additional playbook to set the variable file during Ma1sd configuration
- include_tasks:
file: "set_variables_ma1sd.yml"
apply:
tags: setup-ma1sd
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-ma1sd
# Additional playbook to set the variable file during Corporal configuration
- include_tasks:
file: "set_variables_corporal.yml"
apply:
tags: setup-corporal
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-corporal
# Additional playbook to set the variable file during Dimension configuration
- include_tasks:
file: "set_variables_dimension.yml"
apply:
tags: setup-dimension
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-dimension
# Additional playbook to set the variable file during Synapse Admin configuration
- include_tasks:
file: "set_variables_synapse_admin.yml"
apply:
tags: setup-synapse-admin
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-synapse-admin
# Additional playbook to set the variable file during Discord Appservice Bridge configuration
- include_tasks:
file: "bridge_discord_appservice.yml"
apply:
tags: bridge-discord-appservice
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- bridge-discord-appservice
# Delete AWX session token
- include_tasks:
file: "delete_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Load newly formed matrix variables from AWX volume
- include_tasks:
file: "load_matrix_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always

14
roles/matrix-awx/tasks/purge_database_events.yml
Unescape View File

@ -1,14 +0,0 @@
---
- name: Purge all rooms with more then N events
shell: |
curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
register: awx_purge_command
- name: Print output of purge command
debug:
msg: "{{ awx_purge_command.stdout }}"
- name: Pause for 5 seconds to let Synapse breathe
pause:
seconds: 5

320
roles/matrix-awx/tasks/purge_database_main.yml
Unescape View File

@ -1,320 +0,0 @@
---
- name: Ensure dateutils and curl is installed in AWX
delegate_to: 127.0.0.1
yum:
name: dateutils
state: latest
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Ensure curl and jq intalled on target machine
apt:
pkg:
- curl
- jq
state: present
- name: Collect before shrink size of Synapse database
shell: du -sh /matrix/postgres/data
register: awx_db_size_before_stat
when: (awx_purge_mode.find("Perform final shrink") != -1)
no_log: True
- name: Collect the internal IP of the matrix-synapse container
shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
register: awx_synapse_container_ip
- name: Collect access token for @admin-janitor user
shell: |
curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
register: awx_janitors_token
no_log: True
- name: Copy build_room_list.py script to target machine
copy:
src: ./roles/matrix-awx/scripts/matrix_build_room_list.py
dest: /usr/local/bin/matrix_build_room_list.py
owner: matrix
group: matrix
mode: '0755'
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Run build_room_list.py script
shell: |
runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} {{ matrix_synapse_container_client_api_port.stdout }}
register: awx_rooms_total
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Fetch complete room list from target machine
fetch:
src: /tmp/room_list_complete.json
dest: "/tmp/{{ subscription_id }}_room_list_complete.json"
flat: yes
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Remove complete room list from target machine
file:
path: /tmp/room_list_complete.json
state: absent
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Generate list of rooms with no local users
delegate_to: 127.0.0.1
shell: |
jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Count number of rooms with no local users
delegate_to: 127.0.0.1
shell: |
wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }'
register: awx_rooms_no_local_total
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Setting host fact awx_room_list_no_local_users
set_fact:
awx_room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}"
no_log: True
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Purge all rooms with no local users
include_tasks: purge_database_no_local.yml
loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}"
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Collect epoche time from date
delegate_to: 127.0.0.1
shell: |
date -d '{{ awx_purge_date }}' +"%s"
when: (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
register: awx_purge_epoche_time
- name: Generate list of rooms with more then N users
delegate_to: 127.0.0.1
shell: |
jq 'try .rooms[] | select(.joined_members > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt
when: awx_purge_mode.find("Number of users [slower]") != -1
- name: Count number of rooms with more then N users
delegate_to: 127.0.0.1
shell: |
wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }'
register: awx_rooms_join_members_total
when: awx_purge_mode.find("Number of users [slower]") != -1
- name: Setting host fact awx_room_list_joined_members
delegate_to: 127.0.0.1
set_fact:
awx_room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}"
when: awx_purge_mode.find("Number of users [slower]") != -1
no_log: True
- name: Purge all rooms with more then N users
include_tasks: purge_database_users.yml
loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}"
when: awx_purge_mode.find("Number of users [slower]") != -1
- name: Generate list of rooms with more then N events
delegate_to: 127.0.0.1
shell: |
jq 'try .rooms[] | select(.state_events > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt
when: awx_purge_mode.find("Number of events [slower]") != -1
- name: Count number of rooms with more then N events
delegate_to: 127.0.0.1
shell: |
wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }'
register: awx_rooms_state_events_total
when: awx_purge_mode.find("Number of events [slower]") != -1
- name: Setting host fact awx_room_list_state_events
delegate_to: 127.0.0.1
set_fact:
awx_room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}"
when: awx_purge_mode.find("Number of events [slower]") != -1
no_log: True
- name: Purge all rooms with more then N events
include_tasks: purge_database_events.yml
loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}"
when: awx_purge_mode.find("Number of events [slower]") != -1
- name: Adjust 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
description: "Creates a new matrix service with Spantaleev's playbooks"
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "rust-synapse-compress-state"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1)
- name: Execute rust-synapse-compress-state job template
delegate_to: 127.0.0.1
awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1)
- name: Revert 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
description: "Creates a new matrix service with Spantaleev's playbooks"
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "setup-all,start"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1)
- name: Ensure matrix-synapse is stopped
service:
name: matrix-synapse
state: stopped
daemon_reload: yes
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Re-index Synapse database
shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse'
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Ensure matrix-synapse is started
service:
name: matrix-synapse
state: started
daemon_reload: yes
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Adjust 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
description: "Creates a new matrix service with Spantaleev's playbooks"
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "run-postgres-vacuum,start"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Execute run-postgres-vacuum job template
delegate_to: 127.0.0.1
awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Revert 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
description: "Creates a new matrix service with Spantaleev's playbooks"
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "setup-all,start"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (awx_purge_mode.find("Perform final shrink") != -1)
- name: Cleanup room_list files
delegate_to: 127.0.0.1
shell: |
rm /tmp/{{ subscription_id }}_room_list*
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
ignore_errors: yes
- name: Collect after shrink size of Synapse database
shell: du -sh /matrix/postgres/data
register: awx_db_size_after_stat
when: (awx_purge_mode.find("Perform final shrink") != -1)
no_log: True
- name: Print total number of rooms processed
debug:
msg: '{{ awx_rooms_total.stdout }}'
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Print the number of rooms purged with no local users
debug:
msg: '{{ awx_rooms_no_local_total.stdout }}'
when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
- name: Print the number of rooms purged with more then N users
debug:
msg: '{{ awx_rooms_join_members_total.stdout }}'
when: awx_purge_mode.find("Number of users") != -1
- name: Print the number of rooms purged with more then N events
debug:
msg: '{{ awx_rooms_state_events_total.stdout }}'
when: awx_purge_mode.find("Number of events") != -1
- name: Print before purge size of Synapse database
debug:
msg: "{{ awx_db_size_before_stat.stdout.split('\n') }}"
when: ( awx_db_size_before_stat is defined ) and ( awx_purge_mode.find("Perform final shrink" ) != -1 )
- name: Print after purge size of Synapse database
debug:
msg: "{{ awx_db_size_after_stat.stdout.split('\n') }}"
when: (awx_db_size_after_stat is defined) and (awx_purge_mode.find("Perform final shrink") != -1)
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
awx_end_playbook: true
- name: End playbook early if this task is called.
meta: end_play
when: awx_end_playbook is defined and awx_end_playbook|bool

14
roles/matrix-awx/tasks/purge_database_no_local.yml
Unescape View File

@ -1,14 +0,0 @@
---
- name: Purge all rooms with no local users
shell: |
curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_room'
register: awx_purge_command
- name: Print output of purge command
debug:
msg: "{{ awx_purge_command.stdout }}"
- name: Pause for 5 seconds to let Synapse breathe
pause:
seconds: 5

14
roles/matrix-awx/tasks/purge_database_users.yml
Unescape View File

@ -1,14 +0,0 @@
---
- name: Purge all rooms with more then N users
shell: |
curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
register: awx_purge_command
- name: Print output of purge command
debug:
msg: "{{ awx_purge_command.stdout }}"
- name: Pause for 5 seconds to let Synapse breathe
pause:
seconds: 5

19
roles/matrix-awx/tasks/purge_media_local.yml
Unescape View File

@ -1,19 +0,0 @@
---
- name: Collect epoche time from date
shell: |
date -d '{{ item }}' +"%s"
register: awx_epoche_time
- name: Purge local media to specific date
shell: |
curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000'
register: awx_purge_command
- name: Print output of purge command
debug:
msg: "{{ awx_purge_command.stdout }}"
- name: Pause for 5 seconds to let Synapse breathe
pause:
seconds: 5

110
roles/matrix-awx/tasks/purge_media_main.yml
Unescape View File

@ -1,110 +0,0 @@
- name: Ensure dateutils is installed in AWX
delegate_to: 127.0.0.1
yum:
name: dateutils
state: latest
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Ensure curl and jq intalled on target machine
apt:
pkg:
- curl
- jq
state: present
- name: Collect the internal IP of the matrix-synapse container
shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
register: awx_synapse_container_ip
- name: Collect access token for @admin-janitor user
shell: |
curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
register: awx_janitors_token
no_log: True
- name: Generate list of dates to purge to
delegate_to: 127.0.0.1
shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}"
register: awx_purge_dates
- name: Calculate initial size of local media repository
shell: du -sh /matrix/synapse/storage/media-store/local*
register: awx_local_media_size_before
when: awx_purge_media_type == "Local Media"
async: 600
ignore_errors: yes
no_log: True
- name: Calculate initial size of remote media repository
shell: du -sh /matrix/synapse/storage/media-store/remote*
register: awx_remote_media_size_before
when: awx_purge_media_type == "Remote Media"
async: 600
ignore_errors: yes
no_log: True
- name: Purge local media with loop
include_tasks: purge_media_local.yml
loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}"
when: awx_purge_media_type == "Local Media"
- name: Purge remote media with loop
include_tasks: purge_media_remote.yml
loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}"
when: awx_purge_media_type == "Remote Media"
- name: Calculate final size of local media repository
shell: du -sh /matrix/synapse/storage/media-store/local*
register: awx_local_media_size_after
when: awx_purge_media_type == "Local Media"
ignore_errors: yes
no_log: True
- name: Calculate final size of remote media repository
shell: du -sh /matrix/synapse/storage/media-store/remote*
register: awx_remote_media_size_after
when: awx_purge_media_type == "Remote Media"
ignore_errors: yes
no_log: True
- name: Print size of local media repository before purge
debug:
msg: "{{ awx_local_media_size_before.stdout.split('\n') }}"
when: awx_purge_media_type == "Local Media"
- name: Print size of local media repository after purge
debug:
msg: "{{ awx_local_media_size_after.stdout.split('\n') }}"
when: awx_purge_media_type == "Local Media"
- name: Print size of remote media repository before purge
debug:
msg: "{{ awx_remote_media_size_before.stdout.split('\n') }}"
when: awx_purge_media_type == "Remote Media"
- name: Print size of remote media repository after purge
debug:
msg: "{{ awx_remote_media_size_after.stdout.split('\n') }}"
when: awx_purge_media_type == "Remote Media"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
awx_end_playbook: true
- name: End playbook early if this task is called.
meta: end_play
when: awx_end_playbook is defined and awx_end_playbook|bool

19
roles/matrix-awx/tasks/purge_media_remote.yml
Unescape View File

@ -1,19 +0,0 @@
---
- name: Collect epoche time from date
shell: |
date -d '{{ item }}' +"%s"
register: awx_epoche_time
- name: Purge remote media to specific date
shell: |
curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000'
register: awx_purge_command
- name: Print output of purge command
debug:
msg: "{{ awx_purge_command.stdout }}"
- name: Pause for 5 seconds to let Synapse breathe
pause:
seconds: 5

25
roles/matrix-awx/tasks/rotate_ssh.yml
Unescape View File

@ -1,25 +0,0 @@
---
- name: Set the new authorized key taken from file
authorized_key:
user: root
state: present
exclusive: yes
key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: end_playbook is defined and end_playbook|bool

108
roles/matrix-awx/tasks/self_check.yml
Unescape View File

@ -1,108 +0,0 @@
---
- name: Install prerequisite apt packages on target
apt:
name:
- sysstat
- curl
state: present
- name: Install prerequisite yum packages on AWX
delegate_to: 127.0.0.1
yum:
name:
- bind-utils
state: present
- name: Install prerequisite pip packages on AWX
delegate_to: 127.0.0.1
pip:
name:
- dnspython
state: present
- name: Calculate MAU value
shell: |
curl -s localhost:9000 | grep "^synapse_admin_mau_current "
register: awx_mau_stat
no_log: True
- name: Calculate CPU usage statistics
shell: iostat -c
register: awx_cpu_usage_stat
no_log: True
- name: Calculate RAM usage statistics
shell: free -mh
register: awx_ram_usage_stat
no_log: True
- name: Calculate free disk space
shell: df -h
register: awx_disk_space_stat
no_log: True
- name: Calculate size of Synapse database
shell: du -sh /matrix/postgres/data
register: awx_db_size_stat
no_log: True
- name: Calculate size of local media repository
shell: du -sh /matrix/synapse/storage/media-store/local*
register: awx_local_media_size_stat
async: 600
ignore_errors: yes
no_log: True
- name: Calculate size of remote media repository
shell: du -sh /matrix/synapse/storage/media-store/remote*
register: awx_remote_media_size_stat
async: 600
ignore_errors: yes
no_log: True
- name: Calculate docker container statistics
shell: docker stats --all --no-stream
register: awx_docker_stats
ignore_errors: yes
no_log: True
- name: Print size of remote media repository
debug:
msg: "{{ awx_remote_media_size_stat.stdout.split('\n') }}"
when: awx_remote_media_size_stat is defined
- name: Print size of local media repository
debug:
msg: "{{ awx_local_media_size_stat.stdout.split('\n') }}"
when: awx_local_media_size_stat is defined
- name: Print size of Synapse database
debug:
msg: "{{ awx_db_size_stat.stdout.split('\n') }}"
when: awx_db_size_stat is defined
- name: Print free disk space
debug:
msg: "{{ awx_disk_space_stat.stdout.split('\n') }}"
when: awx_disk_space_stat is defined
- name: Print RAM usage statistics
debug:
msg: "{{ awx_ram_usage_stat.stdout.split('\n') }}"
when: awx_ram_usage_stat is defined
- name: Print CPU usage statistics
debug:
msg: "{{ awx_cpu_usage_stat.stdout.split('\n') }}"
when: awx_cpu_usage_stat is defined
- name: Print MAU value
debug:
msg: "{{ awx_mau_stat.stdout.split('\n') }}"
when: awx_mau_stat is defined
- name: Print docker container statistics
debug:
msg: "{{ awx_docker_stats.stdout.split('\n') }}"
when: awx_docker_stats is defined

243
roles/matrix-awx/tasks/set_variables_corporal.yml
Unescape View File

@ -1,243 +0,0 @@
---
- name: Record Corporal Enabled/Disabled variable
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings Start'
with_dict:
'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}'
- name: Enable Shared Secret Auth if Corporal enabled
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Shared Secret Auth Settings Start'
with_dict:
'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true'
when: matrix_corporal_enabled|bool
- name: Disable Shared Secret Auth if Corporal disabled
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Shared Secret Auth Settings Start'
with_dict:
'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false'
when: not matrix_corporal_enabled|bool
- name: Enable Rest Auth Endpoint if Corporal enabled
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension Start'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
when: matrix_corporal_enabled|bool
- name: Disable Rest Auth Endpoint if Corporal disabled
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension Start'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false'
when: not matrix_corporal_enabled|bool
- name: Disable Corporal API if Simple Static File mode selected
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings Start'
with_dict:
'matrix_corporal_http_api_enabled': 'false'
when: (awx_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool)
- name: Enable Corporal API if Push/Pull mode delected
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings Start'
with_dict:
'matrix_corporal_http_api_enabled': 'true'
when: (awx_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool)
- name: Record Corporal API Access Token if it's defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings Start'
with_dict:
'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}'
when: ( matrix_corporal_http_api_auth_token|length > 0 ) and ( awx_corporal_policy_provider_mode != "Simple Static File" )
- name: Record 'Simple Static File' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '{{ awx_cached_matrix_vars }}'
insertbefore: "# Corporal Policy Provider Settings End"
marker_begin: "Corporal"
marker_end: "Corporal"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "static_file",
"Path": "/etc/matrix-corporal/corporal-policy.json"
}
when: awx_corporal_policy_provider_mode == "Simple Static File"
- name: Touch the /matrix/corporal/ directory
file:
path: "/matrix/corporal/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the /matrix/corporal/config/ directory
file:
path: "/matrix/corporal/config/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the /matrix/corporal/cache/ directory
file:
path: "/matrix/corporal/cache/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the corporal-policy.json file to ensure it exists
file:
path: "/matrix/corporal/config/corporal-policy.json"
state: touch
owner: matrix
group: matrix
mode: '660'
- name: Touch the last-policy.json file to ensure it exists
file:
path: "/matrix/corporal/config/last-policy.json"
state: touch
owner: matrix
group: matrix
mode: '660'
- name: Record 'Simple Static File' configuration content in corporal-policy.json
copy:
content: "{{ awx_corporal_simple_static_config | string }}"
dest: "/matrix/corporal/config/corporal-policy.json"
owner: matrix
group: matrix
mode: '660'
when: (awx_corporal_policy_provider_mode == "Simple Static File") and (awx_corporal_simple_static_config|length > 0)
- name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: "# Corporal Policy Provider Settings Start"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "http",
"Uri": "{{ awx_corporal_pull_mode_uri }}",
"AuthorizationBearerToken": "{{ awx_corporal_pull_mode_token }}",
"CachePath": "/var/cache/matrix-corporal/last-policy.json",
"ReloadIntervalSeconds": 1800,
"TimeoutMilliseconds": 30000
}
when: (awx_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (awx_corporal_pull_mode_token|length > 0)
- name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: "# Corporal Policy Provider Settings Start"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "last_seen_store_policy",
"CachePath": "/var/cache/matrix-corporal/last-policy.json"
}
when: (awx_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)")
- name: Lower RateLimit if set to 'Normal'
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300'
replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3'
when: awx_corporal_raise_ratelimits == "Normal"
- name: Raise RateLimit if set to 'Raised'
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3'
replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300'
when: awx_corporal_raise_ratelimits == "Raised"
- name: Save new 'Configure Corporal' survey.json to the AWX tower
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_corporal.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
- name: Copy new 'Configure Corporal' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
dest: '/matrix/awx/configure_corporal.json'
mode: '0660'
- debug:
msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}"
- debug:
msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}"
- debug:
msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}"
- debug:
msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
- name: Recreate 'Configure Corporal (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Corporal (Advanced)"
description: "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-corporal"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

105
roles/matrix-awx/tasks/set_variables_dimension.yml
Unescape View File

@ -1,105 +0,0 @@
---
- name: Include vars in matrix_vars.yml
include_vars:
file: '{{ awx_cached_matrix_vars }}'
no_log: True
- name: Install jq and curl on remote machine
apt:
name:
- jq
- curl
state: present
- name: Collect access token of @admin-dimension user
shell: |
curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
register: awx_dimension_user_access_token
- name: Record Synapse variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Dimension Settings Start'
with_dict:
'matrix_dimension_enabled': '{{ matrix_dimension_enabled }}'
'matrix_dimension_access_token': '"{{ awx_dimension_user_access_token.stdout }}"'
- name: Set final users list if users are defined
set_fact:
awx_dimension_users_final: "{{ awx_dimension_users }}"
when: awx_dimension_users | length > 0
- name: Set final users list if no users are defined
set_fact:
awx_dimension_users_final: '@dimension:{{ matrix_domain }}'
when: awx_dimension_users | length == 0
- name: Remove Dimension Users
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: '^ - .*\n'
after: 'matrix_dimension_admins:'
before: '# Dimension Settings End'
- name: Set Dimension Users Header
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertbefore: '# Dimension Settings End'
line: "matrix_dimension_admins:"
- name: Set Dimension Users
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: '^matrix_dimension_admins:'
line: ' - "{{ item }}"'
with_items: "{{ awx_dimension_users_final.splitlines() }}"
- name: Record Dimension Custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# Dimension Settings End'
with_dict:
'awx_dimension_users': '{{ awx_dimension_users.splitlines() | to_json }}'
- name: Save new 'Configure Dimension' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_dimension.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_dimension.json'
- name: Copy new 'Configure Dimension' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_dimension.json'
dest: '/matrix/awx/configure_dimension.json'
mode: '0660'
- name: Recreate 'Configure Dimension' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Dimension"
description: "Configure Dimension, the self-hosted integrations server."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-all,setup-dimension"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_dimension.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

180
roles/matrix-awx/tasks/set_variables_element.yml
Unescape View File

@ -1,180 +0,0 @@
---
- name: Record Element-Web variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}'
'matrix_client_element_jitsi_preferredDomain': 'jitsi.{{ matrix_domain }}'
'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}'
'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}'
'matrix_client_element_brand': '{{ matrix_client_element_brand | trim }}'
'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}'
'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo | trim }}'
'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link | trim }}'
- name: Record Element-Web custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertbefore: '# Element Settings End'
with_dict:
'awx_matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline | trim }}'
'awx_matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text | trim }}'
- name: Set Element-Web custom branding locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_brand': "{{ matrix_client_element_brand }}"
when: matrix_client_element_brand | trim | length > 0
- name: Remove Element-Web custom branding locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_brand: "
state: absent
when: matrix_client_element_brand | trim | length == 0
- name: Set fact for 'https' string
set_fact:
awx_https_string: "https"
- name: Set Element-Web custom logo locally on AWX if defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo }}'
when: ( awx_https_string in matrix_client_element_welcome_logo ) and ( matrix_client_element_welcome_logo | trim | length > 0 )
- name: Remove Element-Web custom logo locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_welcome_logo: "
state: absent
when: matrix_client_element_welcome_logo | trim | length == 0
- name: Set Element-Web custom logo link locally on AWX if defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link }}'
when: ( awx_https_string in matrix_client_element_welcome_logo_link ) and ( matrix_client_element_welcome_logo_link | trim | length > 0 )
- name: Remove Element-Web custom logo link locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_welcome_logo_link: "
state: absent
when: matrix_client_element_welcome_logo_link | trim | length == 0
- name: Set Element-Web custom headline locally on AWX if defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline }}'
when: awx_matrix_client_element_welcome_headline | trim | length > 0
- name: Remove Element-Web custom headline locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_welcome_headline: "
state: absent
when: awx_matrix_client_element_welcome_headline | trim | length == 0
- name: Set Element-Web custom text locally on AWX if defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text }}'
when: awx_matrix_client_element_welcome_text | trim | length > 0
- name: Remove Element-Web custom text locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_welcome_text: "
state: absent
when: awx_matrix_client_element_welcome_text | trim | length == 0
- name: Set Element-Web background locally on AWX if defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: '{{ item.value }}'"
insertafter: '# Element Settings Start'
with_dict:
'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}'
when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length > 0
- name: Remove Element-Web background locally on AWX if not defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_client_element_branding_welcomeBackgroundUrl: "
state: absent
when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length == 0
- name: Save new 'Configure Element' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_element.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
- name: Copy new 'Configure Element' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
dest: '/matrix/awx/configure_element.json'
mode: '0660'
- name: Recreate 'Configure Element' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Element"
description: "Configure Element client via survey."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-client-element"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

43
roles/matrix-awx/tasks/set_variables_element_subdomain.yml
Unescape View File

@ -1,43 +0,0 @@
---
- name: Record Element-Web variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Element Settings Start'
with_dict:
'matrix_server_fqn_element': "{{ awx_element_subdomain | trim }}.{{ matrix_domain }}"
- name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_element_subdomain.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json'
- name: Copy new 'Configure Element Subdomain' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json'
dest: '/matrix/awx/configure_element_subdomain.json'
mode: '0660'
- name: Recreate 'Configure Element Subdomain' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Element Subdomain"
description: "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)"
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-all,setup-client-element-subdomain"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

45
roles/matrix-awx/tasks/set_variables_jitsi.yml
Unescape View File

@ -1,45 +0,0 @@
---
- name: Record Jitsi variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Jitsi Settings Start'
with_dict:
'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}'
'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage | trim }}'
- name: Save new 'Configure Jitsi' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_jitsi.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
- name: Copy new 'Configure Jitsi' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
dest: '/matrix/awx/configure_jitsi.json'
mode: '0660'
- name: Recreate 'Configure Jitsi' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Jitsi"
description: "Configure Jitsi conferencing settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-jitsi"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

103
roles/matrix-awx/tasks/set_variables_ma1sd.yml
Unescape View File

@ -1,103 +0,0 @@
---
- name: Record ma1sd variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# ma1sd Settings Start'
with_dict:
'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}'
- name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension Start'
with_dict:
'matrix_synapse_awx_password_provider_rest_auth_enabled': 'false'
when: awx_matrix_ma1sd_auth_store == 'Synapse Internal'
- name: Enable REST auth if using external LDAP/AD with ma1sd
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension Start'
with_dict:
'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true'
'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:{{ matrix_ma1sd_container_port }}"'
when: awx_matrix_ma1sd_auth_store == 'LDAP/AD'
- name: Remove entire ma1sd configuration extension
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: '^.*\n'
after: '# Start ma1sd Extension'
before: '# End ma1sd Extension'
- name: Replace conjoined ma1sd configuration extension limiters
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: '^# Start ma1sd Extension# End ma1sd Extension'
replace: '# Start ma1sd Extension\n# End ma1sd Extension'
- name: Insert/Update ma1sd configuration extension variables
delegate_to: 127.0.0.1
blockinfile:
path: '{{ awx_cached_matrix_vars }}'
marker: "# {mark} ma1sd ANSIBLE MANAGED BLOCK"
insertafter: '# Start ma1sd Extension'
block: '{{ awx_matrix_ma1sd_configuration_extension_yaml }}'
- name: Record ma1sd Custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# ma1sd Settings End'
with_dict:
'awx_matrix_ma1sd_auth_store': '{{ awx_matrix_ma1sd_auth_store }}'
'awx_matrix_ma1sd_configuration_extension_yaml': '{{ awx_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}'
no_log: True
- name: Save new 'Configure ma1sd' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_ma1sd.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
- name: Copy new 'Configure ma1sd' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
dest: '/matrix/awx/configure_ma1sd.json'
mode: '0660'
- name: Recreate 'Configure ma1sd (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure ma1sd (Advanced)"
description: "Configure Jitsi conferencing settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-ma1sd"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

44
roles/matrix-awx/tasks/set_variables_mailer.yml
Unescape View File

@ -1,44 +0,0 @@
---
- name: Record Mailer variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Email Settings Start'
with_dict:
'matrix_mailer_relay_use': '{{ matrix_mailer_relay_use }}'
- name: Save new 'Configure Email Relay' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_email_relay.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json'
- name: Copy new 'Configure Email Relay' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json'
dest: '/matrix/awx/configure_email_relay.json'
mode: '0660'
- name: Recreate 'Configure Email Relay' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Email Relay"
description: "Enable MailGun relay to increase verification email reliability."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-mailer"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

222
roles/matrix-awx/tasks/set_variables_synapse.yml
Unescape View File

@ -1,222 +0,0 @@
- name: Limit max upload size to 200MB part 1
set_fact:
matrix_synapse_max_upload_size_mb: "200"
when: awx_synapse_max_upload_size_mb | int >= 200
- name: Limit max upload size to 200MB part 2
set_fact:
matrix_synapse_max_upload_size_mb: "{{ awx_synapse_max_upload_size_mb }}"
when: awx_synapse_max_upload_size_mb | int < 200
- name: Record Synapse variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings Start'
with_dict:
'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}'
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
- name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^matrix_synapse_auto_join_rooms: .*$"
replace: "matrix_synapse_auto_join_rooms: []"
when: awx_synapse_auto_join_rooms | length == 0
- name: If the raw inputs is not empty start constructing parsed auto_join_rooms list
set_fact:
awx_synapse_auto_join_rooms_array: |-
{{ awx_synapse_auto_join_rooms.splitlines() | to_json }}
when: awx_synapse_auto_join_rooms | length > 0
- name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings Start'
with_dict:
"matrix_synapse_auto_join_rooms": "{{ awx_synapse_auto_join_rooms_array }}"
when: awx_synapse_auto_join_rooms | length > 0
- name: Record Synapse Shared Secret if it's defined
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings Start'
with_dict:
'matrix_synapse_registration_shared_secret': '{{ awx_matrix_synapse_registration_shared_secret }}'
when: awx_matrix_synapse_registration_shared_secret | length > 0
- name: Record registations_require_3pid extra variable if true
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "{{ item }}"
line: "{{ item }}"
insertbefore: '# Synapse Extension End'
with_items:
- " registrations_require_3pid:"
- " - email"
when: awx_registrations_require_3pid | bool
- name: Remove registrations_require_3pid extra variable if false
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "{{ item }}"
line: "{{ item }}"
insertbefore: '# Synapse Extension End'
state: absent
with_items:
- " registrations_require_3pid:"
- " - email"
when: not awx_registrations_require_3pid | bool
- name: Remove URL Languages
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: '^(?!.*\bemail\b) - [a-zA-Z\-]{2,5}\n'
after: ' url_preview_accept_language:'
before: '# Synapse Extension End'
- name: Set URL languages default if raw inputs empty
set_fact:
awx_url_preview_accept_language_default: 'en'
when: awx_url_preview_accept_language | length == 0
- name: Set URL languages default if raw inputs not empty
set_fact:
awx_url_preview_accept_language_default: "{{ awx_url_preview_accept_language }}"
when: awx_url_preview_accept_language|length > 0
- name: Set URL languages if raw inputs empty
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: '^ url_preview_accept_language:'
line: " - {{ awx_url_preview_accept_language_default }}"
when: awx_url_preview_accept_language|length == 0
- name: Set URL languages if raw inputs not empty
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: '^ url_preview_accept_language:'
line: " - {{ item }}"
with_items: "{{ awx_url_preview_accept_language.splitlines() }}"
when: awx_url_preview_accept_language | length > 0
- name: Remove Federation Whitelisting 1
delegate_to: 127.0.0.1
replace:
path: '{{ awx_cached_matrix_vars }}'
regexp: '^ - [a-z0-9]+\.[a-z0-9.]+\n'
after: ' federation_domain_whitelist:'
before: '# Synapse Extension End'
- name: Remove Federation Whitelisting 2
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
line: " federation_domain_whitelist:"
state: absent
- name: Set Federation Whitelisting 1
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: '^matrix_synapse_configuration_extension_yaml: \|'
line: " federation_domain_whitelist:"
when: awx_federation_whitelist | length > 0
- name: Set Federation Whitelisting 2
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
insertafter: '^ federation_domain_whitelist:'
line: " - {{ item }}"
with_items: "{{ awx_federation_whitelist.splitlines() }}"
when: awx_federation_whitelist | length > 0
- name: Set awx_recaptcha_public_key to a 'public-key' if undefined
set_fact: awx_recaptcha_public_key="public-key"
when: (awx_recaptcha_public_key is not defined) or (awx_recaptcha_public_key|length == 0)
- name: Set awx_recaptcha_private_key to a 'private-key' if undefined
set_fact: awx_recaptcha_private_key="private-key"
when: (awx_recaptcha_private_key is not defined) or (awx_recaptcha_private_key|length == 0)
- name: Record Synapse Extension variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# Synapse Extension End'
with_dict:
' enable_registration_captcha': '{{ awx_enable_registration_captcha }}'
' recaptcha_public_key': '{{ awx_recaptcha_public_key }}'
' recaptcha_private_key': '{{ awx_recaptcha_private_key }}'
- name: Record Synapse Custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# Synapse Settings End'
with_dict:
'awx_federation_whitelist': '{{ awx_federation_whitelist.splitlines() | to_json }}'
'awx_url_preview_accept_language_default': '{{ awx_url_preview_accept_language_default.splitlines() | to_json }}'
'awx_enable_registration_captcha': '{{ awx_enable_registration_captcha }}'
'awx_recaptcha_public_key': '"{{ awx_recaptcha_public_key }}"'
'awx_recaptcha_private_key': '"{{ awx_recaptcha_private_key }}"'
- name: Save new 'Configure Synapse' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_synapse.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_synapse.json'
- name: Copy new 'Configure Synapse' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json'
dest: '/matrix/awx/configure_synapse.json'
mode: '0660'
- name: Recreate 'Configure Synapse' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Synapse"
description: "Configure Synapse (homeserver) settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-synapse"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

44
roles/matrix-awx/tasks/set_variables_synapse_admin.yml
Unescape View File

@ -1,44 +0,0 @@
---
- name: Record Synapse Admin variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Admin Settings Start'
with_dict:
'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}'
- name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_synapse_admin.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
- name: Copy new 'Configure Synapse Admin' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
dest: '/matrix/awx/configure_synapse_admin.json'
mode: '0660'
- name: Recreate 'Configure Synapse Admin' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Synapse Admin"
description: "Configure 'Synapse Admin', a moderation tool to help you manage your server."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-all"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

26
roles/matrix-awx/tasks/update_variables.yml
Unescape View File

@ -1,26 +0,0 @@
---
- name: Rename synapse presence variable
delegate_to: 127.0.0.1
replace:
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
regexp: 'matrix_synapse_use_presence'
replace: 'matrix_synapse_presence_enabled'
- name: Generate matrix_homeserver_generic_secret_key variable
delegate_to: 127.0.0.1
command: |
openssl rand -hex 16
register: generic_secret
no_log: True
when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 )
- name: Add new matrix_homeserver_generic_secret_key variable
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
line: "matrix_homeserver_generic_secret_key: {{ generic_secret.stdout }}"
insertbefore: '# Basic Settings End'
mode: '0600'
state: present
when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 )

98
roles/matrix-backup-borg/defaults/main.yml
Unescape View File

@ -0,0 +1,98 @@
---
matrix_backup_borg_enabled: true
matrix_backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg"
matrix_backup_borg_config_path: "{{ matrix_backup_borg_base_path }}/config"
matrix_backup_borg_container_image_self_build: false
matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic"
matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src"
# version determined automatically, based on postgres server version (if enabled), otherwise latest is used
matrix_backup_borg_version: ""
matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}"
matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version|default('') == '' }}"
# A list of extra arguments to pass to the container
matrix_backup_borg_container_extra_arguments: []
# List of systemd services that matrix-backup-borg.service depends on
matrix_backup_borg_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-backup-borg.service wants
matrix_backup_borg_systemd_wanted_services_list: []
# systemd calendar configuration for backup job
matrix_backup_borg_schedule: "*-*-* 04:00:00"
# what directories should be added to backup
matrix_backup_borg_location_source_directories: []
# postgres db backup
matrix_backup_borg_postgresql_enabled: true
matrix_backup_borg_supported_postgres_versions: ['12', '13', '14']
matrix_backup_borg_postgresql_databases: []
matrix_backup_borg_postgresql_databases_hostname: "matrix-postgres"
matrix_backup_borg_postgresql_databases_username: "matrix"
matrix_backup_borg_postgresql_databases_password: ""
matrix_backup_borg_postgresql_databases_port: 5432
# target repositories
matrix_backup_borg_location_repositories: []
# exclude following paths:
matrix_backup_borg_location_exclude_patterns: []
# borg encryption mode, only "repokey-*" and "none" are supported
matrix_backup_borg_encryption: repokey-blake2
# private ssh key used to connect to the borg repo
matrix_backup_borg_ssh_key_private: ""
# allow unencrypted repo access
matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}"
# borg ssh command with ssh key
matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey
# compression algorithm
matrix_backup_borg_storage_compression: lz4
# archive name format
matrix_backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
# repository passphrase
matrix_backup_borg_storage_encryption_passphrase: ""
# retention configuration
matrix_backup_borg_retention_keep_hourly: 0
matrix_backup_borg_retention_keep_daily: 7
matrix_backup_borg_retention_keep_weekly: 4
matrix_backup_borg_retention_keep_monthly: 12
matrix_backup_borg_retention_keep_yearly: 2
# retention prefix
matrix_backup_borg_retention_prefix: matrix-
# Default borgmatic configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_backup_borg_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_backup_borg_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_backup_borg_configuration_extension_yaml: |
# Your custom YAML configuration for borgmatic goes here.
# This configuration extends the default starting configuration (`matrix_borg_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_backup_borg_configuration_yaml`.
matrix_backup_borg_configuration_extension: "{{ matrix_backup_borg_configuration_extension_yaml|from_yaml if matrix_backup_borg_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final borgmatic configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_backup_borg_configuration_yaml`.
matrix_backup_borg_configuration: "{{ matrix_backup_borg_configuration_yaml|from_yaml|combine(matrix_backup_borg_configuration_extension, recursive=True) }}"

4
roles/matrix-backup-borg/tasks/init.yml
Unescape View File

@ -0,0 +1,4 @@
---
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-backup-borg.timer'] }}"
when: matrix_backup_borg_enabled|bool

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…
Cancel
Save