diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c48f483..c706b4a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-10-23 + +## Hangouts bridge no longer updated, superseded by a Googlechat bridge + +The mautrix-hangouts bridge is no longer receiving updates upstream and is likely to stop working in the future. +We still retain support for this bridge in the playbook, but you're encouraged to switch away from it. + +There's a new [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge that you can [install using the playbook](docs/configuring-playbook-bridge-mautrix-googlechat.md). +Your **Hangouts bridge data will not be migrated**, however. You need to start fresh with the new bridge. + + # 2021-08-23 ## LinkedIn bridging support via beeper-linkedin diff --git a/README.md b/README.md index edda6f99..6e1b5c14 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +- (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) + - (optional) the [mautrix-instagram](https://github.com/mautrix/instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) - (optional) the [mautrix-signal](https://github.com/mautrix/signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 87ea228a..f455f058 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -26,7 +26,7 @@ The following repositories allow you to copy and use this setup: Updates to this section are trailed here: -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy) +[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) ## Does I need an AWX setup to use this? How do I configure it? diff --git a/docs/configuring-playbook-bridge-mautrix-googlechat.md b/docs/configuring-playbook-bridge-mautrix-googlechat.md new file mode 100644 index 00000000..381d1f29 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-googlechat.md @@ -0,0 +1,58 @@ +# Setting up Mautrix Google Chat (optional) + +The playbook can install and configure [mautrix-googlechat](https://github.com/mautrix/googlechat) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/python/googlechat/index.html) to learn what it does and why it might be useful to you. + +To enable the [Google Chat](https://chat.google.com/) bridge just use the following playbook configuration: + + +```yaml +matrix_mautrix_googlechat_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. You can use the following command: + +``` +curl \ +--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-googlechat", "initial_device_display_name": "Mautrix-googlechat"}' \ +https://matrix.DOMAIN/_matrix/client/r0/login +``` + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-googlechat` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +Once the bot is enabled you need to start a chat with `googlechat bridge bot` with handle `@googlechatbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + +Send `login` to the bridge bot to receive a link to the portal from which you can enable the bridging. Open the link sent by the bot and follow the instructions. + +Automatic login may not work. If it does not, reload the page and select the "Manual login" checkbox before starting. Manual login involves logging into your Google account normally and then manually getting the OAuth token from browser cookies with developer tools. + +Once logged in, recent chats should show up as new conversations automatically. Other chats will get portals as you receive messages. + +You can learn more about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/googlechat/authentication.html). + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. + diff --git a/docs/configuring-playbook-bridge-mautrix-hangouts.md b/docs/configuring-playbook-bridge-mautrix-hangouts.md index 1b31e75a..f6129777 100644 --- a/docs/configuring-playbook-bridge-mautrix-hangouts.md +++ b/docs/configuring-playbook-bridge-mautrix-hangouts.md @@ -1,3 +1,5 @@ +# The [Mautrix Hangouts Bridge](https://mau.dev/mautrix/hangouts) is no longer maintained. It has changed to a [Google Chat Bridge](https://github.com/mautrix/googlechat). Setup instructions for the Google Chat Bridge can be [found here](configuring-playbook-bridge-mautrix-googlechat.md). + # Setting up Mautrix Hangouts (optional) The playbook can install and configure [mautrix-hangouts](https://github.com/mautrix/hangouts) for you. diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 0cd15bbf..69ed7aa7 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -3,14 +3,12 @@ **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. -**Note**: enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). +**Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). ## Prerequisites -This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. - -Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. ## Enable @@ -45,11 +43,11 @@ To get an access token for the Dimension user, you can follow one of two options *Through an interactive login*: 1. In a private browsing session (incognito window), open Element. -2. Log in with the `dimension` user and its password. +1. Log in with the `dimension` user and its password. 1. Set the display name and avatar, if required. -2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. -3. Copy the highlighted text to your configuration. -4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. +1. In the settings page choose "Help & About", scroll down to the bottom and expand the `Access Token` section. +1. Copy the access token to your configuration. +1. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. *With CURL* @@ -81,6 +79,8 @@ After these variables have been set, please run the following command to re-run ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` +After Dimension has been installed you may need to log out and log back in for it to pick up the new integrations manager. Then you can access integrations in Element by opening a room, clicking the Room info button (`i`) button in the top right corner of the screen, and then clicking Add widgets, bridges & bots. + ## Jitsi domain diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 8a827d0d..9a27e0b7 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' # Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. matrix_coturn_enabled: false + +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index dc1b7b4c..b7f3caae 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,8 +56,40 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) -`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). +`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) +### Collecting system and Postgres metrics to an external Prometheus server (advanced) + +When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats. + +It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network. + +Use the following variables in addition to the ones mentioned above: + +Name | Description +-----|---------- +`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy +`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain +`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter +`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter +`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below) + +```nginx +matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: + - 'location /node-exporter/ { + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-prometheus-node-exporter:9100/; + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + }' + - 'location /postgres-exporter/ { + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-prometheus-postgres-exporter:9187/; + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + }' +``` +You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187. ## More information diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 60c7a4bf..243440dd 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -98,6 +98,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional) +- [Setting up Mautrix Google Chat bridging](configuring-playbook-bridge-mautrix-googlechat.md) (optional) + - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 21f055b8..6fbb9205 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -48,6 +48,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) + - [mautrix/instagram](https://mau.dev/mautrix/instagram/container_registry) - the [mautrix-instagram](https://github.com/mautrix/instagram) bridge to [Instagram](https://instagram.com/) (optional) - [mautrix/signal](https://mau.dev/mautrix/signal/container_registry) - the [mautrix-signal](https://github.com/mautrix/signal) bridge to [Signal](https://www.signal.org/) (optional) diff --git a/docs/faq.md b/docs/faq.md index 6c9eedc2..5181c6ea 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -121,7 +121,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **can be executed more than once** without causing trouble -- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux** +- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 10/Buster+, **Ubuntu** 18.04+), **Archlinux** - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index d27375bb..925ed14d 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql" +$ sed -i "s/synapse_user/synapse/g" homeserver.sql ``` This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 39b42ef1..0da1c715 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,8 +4,8 @@ To install Matrix services using this Ansible playbook, you need: - (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - - **Debian** (9/Stretch or newer) - - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) + - **Debian** (10/Buster or newer) + - **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. diff --git a/docs/self-building.md b/docs/self-building.md index 61f05c48..82726bb7 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -22,10 +22,13 @@ List of roles where self-building the Docker image is currently possible: - `matrix-mailer` - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` +- `matrix-bridge-appservice-webhooks` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` +- `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` - `matrix-bot-matrix-reminder-bot` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e2db0885..4905a222 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -104,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_ # We don't enable bridges by default. matrix_appservice_webhooks_enabled: false +matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. @@ -335,6 +337,47 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-googlechat +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_googlechat_enabled: false + +matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_googlechat_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" + +matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" + +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" + +matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-googlechat +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-instagram @@ -475,6 +518,8 @@ matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_mautrix_whatsapp_enabled: false +matrix_mautrix_whatsapp_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] @@ -1426,6 +1471,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_googlechat_database_name, + 'username': matrix_mautrix_googlechat_database_username, + 'password': matrix_mautrix_googlechat_database_password, + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, diff --git a/roles/matrix-awx/surveys/access_export.json.j2 b/roles/matrix-awx/surveys/access_export.json.j2 index c20a9749..d5e1f945 100644 --- a/roles/matrix-awx/surveys/access_export.json.j2 +++ b/roles/matrix-awx/surveys/access_export.json.j2 @@ -8,10 +8,10 @@ "required": true, "min": null, "max": null, - "default": "{{ sftp_auth_method | string }}", + "default": "{{ awx_sftp_auth_method | string }}", "choices": "Disabled\nPassword\nSSH Key", "new_question": true, - "variable": "sftp_auth_method", + "variable": "awx_sftp_auth_method", "type": "multiplechoice" }, { @@ -20,10 +20,10 @@ "required": false, "min": 0, "max": 64, - "default": "{{ sftp_password }}", + "default": "{{ awx_sftp_password }}", "choices": "", "new_question": true, - "variable": "sftp_password", + "variable": "awx_sftp_password", "type": "password" }, { @@ -32,10 +32,10 @@ "required": false, "min": 0, "max": 16384, - "default": "{{ sftp_public_key }}", + "default": "{{ awx_sftp_public_key }}", "choices": "", "new_question": true, - "variable": "sftp_public_key", + "variable": "awx_sftp_public_key", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index acb6e356..559daade 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -8,10 +8,10 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_awx_backup_enabled | string | lower }}", + "default": "{{ awx_backup_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "matrix_awx_backup_enabled", + "variable": "awx_backup_enabled", "type": "multiplechoice" } ] diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 index 14e417ce..7b782fd0 100755 --- a/roles/matrix-awx/surveys/configure_corporal.json.j2 +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -20,10 +20,10 @@ "required": true, "min": null, "max": null, - "default": "{{ matrix_corporal_policy_provider_mode }}", + "default": "{{ awx_corporal_policy_provider_mode }}", "choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)", "new_question": true, - "variable": "matrix_corporal_policy_provider_mode", + "variable": "awx_corporal_policy_provider_mode", "type": "multiplechoice" }, { @@ -34,7 +34,7 @@ "max": 65536, "default": "", "new_question": true, - "variable": "matrix_corporal_simple_static_config", + "variable": "awx_corporal_simple_static_config", "type": "textarea" }, { @@ -43,9 +43,9 @@ "required": false, "min": 0, "max": 4096, - "default": "{{ matrix_corporal_pull_mode_uri }}", + "default": "{{ awx_corporal_pull_mode_uri }}", "new_question": true, - "variable": "matrix_corporal_pull_mode_uri", + "variable": "awx_corporal_pull_mode_uri", "type": "text" }, { @@ -54,10 +54,10 @@ "required": false, "min": 0, "max": 256, - "default": "{{ matrix_corporal_pull_mode_token }}", + "default": "{{ awx_corporal_pull_mode_token }}", "choices": "", "new_question": true, - "variable": "matrix_corporal_pull_mode_token", + "variable": "awx_corporal_pull_mode_token", "type": "password" }, { @@ -66,10 +66,10 @@ "required": false, "min": 0, "max": 256, - "default": "{{ matrix_corporal_http_api_auth_token }}", + "default": "{{ awx_corporal_http_api_auth_token }}", "choices": "", "new_question": true, - "variable": "matrix_corporal_http_api_auth_token", + "variable": "awx_corporal_http_api_auth_token", "type": "password" }, { @@ -78,7 +78,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_corporal_raise_ratelimits }}", + "default": "{{ awx_corporal_raise_ratelimits }}", "choices": "Normal\nRaised", "new_question": true, "variable": "matrix_corporal_raise_ratelimits", diff --git a/roles/matrix-awx/surveys/configure_dimension.json.j2 b/roles/matrix-awx/surveys/configure_dimension.json.j2 index 2f39e80e..5f79cfd0 100644 --- a/roles/matrix-awx/surveys/configure_dimension.json.j2 +++ b/roles/matrix-awx/surveys/configure_dimension.json.j2 @@ -20,10 +20,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_dimension_users_raw_final | to_json }}, + "default": {{ awx_dimension_users_final | to_json }}, "choices": "", "new_question": true, - "variable": "ext_dimension_users_raw", + "variable": "awx_dimension_users", "type": "textarea" } ] diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index d85a0ee5..b4021732 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -14,18 +14,6 @@ "variable": "matrix_client_element_enabled", "type": "multiplechoice" }, - { - "question_name": "Set Branding for Web Client", - "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.", - "required": false, - "min": 0, - "max": 256, - "default": "{{ matrix_client_element_brand }}", - "choices": "", - "new_question": true, - "variable": "matrix_client_element_brand", - "type": "text" - }, { "question_name": "Set Theme for Web Client", "question_description": "Sets the default theme for the web client, can be changed later by individual users.", @@ -38,18 +26,78 @@ "variable": "matrix_client_element_default_theme", "type": "multiplechoice" }, + { + "question_name": "Set Branding for Web Client", + "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.Leaving this field blank will cause the default branding will be used: 'Element'", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_client_element_brand | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_brand", + "type": "text" + }, { "question_name": "Set Welcome Page Background", - "question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.", + "question_description": "Sets the background image on the welcome page, you should enter a URL to the image you want to use. Must be a 'https' link, otherwise it won't be set. Leaving this field blank will cause the default background to be used.", "required": false, "min": 0, "max": 1024, - "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}", + "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}", "choices": "", "new_question": true, "variable": "matrix_client_element_branding_welcomeBackgroundUrl", "type": "text" }, + { + "question_name": "Set Welcome Page Logo", + "question_description": "Sets the logo found on the welcome and login page, must be a valid https link to your logo, the logo itself should be a square vector image (SVG). Leaving this field blank will cause the default Element logo to be used.", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_welcome_logo | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_welcome_logo", + "type": "text" + }, + { + "question_name": "Set Welcome Page Logo URL", + "question_description": "Sets the URL link the welcome page logo leads to, must be a valid https link. Leaving this field blank will cause this default link to be used: 'https://element.io'", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_welcome_logo_link | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_welcome_logo_link", + "type": "text" + }, + { + "question_name": "Set Welcome Page Headline", + "question_description": "Sets the headline seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Welcome to Element!'", + "required": false, + "min": 0, + "max": 512, + "default": "{{ awx_matrix_client_element_welcome_headline | trim }}", + "choices": "", + "new_question": true, + "variable": "awx_matrix_client_element_welcome_headline", + "type": "text" + }, + { + "question_name": "Set Welcome Page Text", + "question_description": "Sets the text seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Decentralised, encrypted chat & collaboration powered by [Matrix]'", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ awx_matrix_client_element_welcome_text | trim }}", + "choices": "", + "new_question": true, + "variable": "awx_matrix_client_element_welcome_text", + "type": "text" + }, { "question_name": "Show Registration Button", "question_description": "If you show the registration button on the welcome page.", diff --git a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 index a355af23..8e6aaf28 100644 --- a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 +++ b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 @@ -8,10 +8,10 @@ "required": false, "min": 0, "max": 2048, - "default": "{{ element_subdomain }}", + "default": "{{ awx_element_subdomain }}", "choices": "", "new_question": true, - "variable": "element_subdomain", + "variable": "awx_element_subdomain", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 index 67c2c88d..055e817c 100644 --- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -20,10 +20,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_matrix_ma1sd_auth_store }}", + "default": "{{ awx_matrix_ma1sd_auth_store }}", "choices": "Synapse Internal\nLDAP/AD", "new_question": true, - "variable": "ext_matrix_ma1sd_auth_store", + "variable": "awx_matrix_ma1sd_auth_store", "type": "multiplechoice" }, { @@ -32,9 +32,9 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }}, + "default": {{ awx_matrix_ma1sd_configuration_extension_yaml | to_json }}, "new_question": true, - "variable": "ext_matrix_ma1sd_configuration_extension_yaml", + "variable": "awx_matrix_ma1sd_configuration_extension_yaml", "type": "textarea" } ] diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 7089f7b3..7a4e711d 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -92,10 +92,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_registrations_require_3pid | string | lower }}", + "default": "{{ awx_registrations_require_3pid | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "ext_registrations_require_3pid", + "variable": "awx_registrations_require_3pid", "type": "multiplechoice" }, { @@ -107,7 +107,7 @@ "default": "", "choices": "", "new_question": true, - "variable": "ext_matrix_synapse_registration_shared_secret", + "variable": "awx_matrix_synapse_registration_shared_secret", "type": "password" }, { @@ -119,7 +119,7 @@ "default": "{{ matrix_synapse_max_upload_size_mb }}", "choices": "", "new_question": true, - "variable": "matrix_synapse_max_upload_size_mb_raw", + "variable": "awx_synapse_max_upload_size_mb", "type": "text" }, { @@ -128,10 +128,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_url_preview_accept_language_default | to_json }}, + "default": {{ awx_url_preview_accept_language_default | to_json }}, "choices": "", "new_question": true, - "variable": "ext_url_preview_accept_language_raw", + "variable": "awx_url_preview_accept_language", "type": "textarea" }, { @@ -140,10 +140,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_federation_whitelist_raw | to_json }}, + "default": {{ awx_federation_whitelist | to_json }}, "choices": "", "new_question": true, - "variable": "ext_federation_whitelist_raw", + "variable": "awx_federation_whitelist", "type": "textarea" }, { @@ -152,10 +152,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ matrix_synapse_auto_join_rooms_raw | to_json }}, + "default": {{ awx_synapse_auto_join_rooms | to_json }}, "choices": "", "new_question": true, - "variable": "matrix_synapse_auto_join_rooms_raw", + "variable": "awx_synapse_auto_join_rooms", "type": "textarea" }, { @@ -164,10 +164,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_enable_registration_captcha | string | lower }}", + "default": "{{ awx_enable_registration_captcha | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "ext_enable_registration_captcha", + "variable": "awx_enable_registration_captcha", "type": "multiplechoice" }, { @@ -176,10 +176,10 @@ "required": false, "min": 0, "max": 40, - "default": "{{ ext_recaptcha_public_key }}", + "default": "{{ awx_recaptcha_public_key }}", "choices": "", "new_question": true, - "variable": "ext_recaptcha_public_key", + "variable": "awx_recaptcha_public_key", "type": "text" }, { @@ -188,10 +188,10 @@ "required": false, "min": 0, "max": 40, - "default": "{{ ext_recaptcha_private_key }}", + "default": "{{ awx_recaptcha_private_key }}", "choices": "", "new_question": true, - "variable": "ext_recaptcha_private_key", + "variable": "awx_recaptcha_private_key", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 index 2b3e1637..d35fb839 100755 --- a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 +++ b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 @@ -8,10 +8,10 @@ "required": true, "min": null, "max": null, - "default": "{{ customise_base_domain_website | string | lower }}", + "default": "{{ awx_customise_base_domain_website | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "customise_base_domain_website", + "variable": "awx_customise_base_domain_website", "type": "multiplechoice" }, { @@ -20,10 +20,10 @@ "required": true, "min": null, "max": null, - "default": "{{ sftp_auth_method | string }}", + "default": "{{ awx_sftp_auth_method | string }}", "choices": "Disabled\nPassword\nSSH Key", "new_question": true, - "variable": "sftp_auth_method", + "variable": "awx_sftp_auth_method", "type": "multiplechoice" }, { @@ -32,10 +32,10 @@ "required": false, "min": 0, "max": 64, - "default": "{{ sftp_password }}", + "default": "{{ awx_sftp_password }}", "choices": "", "new_question": true, - "variable": "sftp_password", + "variable": "awx_sftp_password", "type": "password" }, { @@ -44,10 +44,10 @@ "required": false, "min": 0, "max": 16384, - "default": "{{ sftp_public_key }}", + "default": "{{ awx_sftp_public_key }}", "choices": "", "new_question": true, - "variable": "sftp_public_key", + "variable": "awx_sftp_public_key", "type": "text" } ] diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index b7a82b96..d33f0f70 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -7,7 +7,7 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# AWX Settings Start' with_dict: - 'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}' + 'awx_backup_enabled': '{{ awx_backup_enabled }}' tags: use-survey - name: Save new 'Backup Server' survey.json to the AWX tower, template @@ -24,14 +24,6 @@ mode: '0660' tags: use-survey -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - tags: use-survey - - name: Recreate 'Backup Server' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -49,8 +41,8 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes tags: use-survey @@ -74,7 +66,7 @@ register: _create_instances async: 3600 # Maximum runtime in seconds. poll: 0 # Fire and continue (never poll) - when: matrix_awx_backup_enabled|bool + when: awx_backup_enabled|bool - name: Wait for both of these jobs to finish async_status: @@ -84,16 +76,25 @@ delay: 5 # Check every 5 seconds. retries: 720 # Retry for a full hour. with_items: "{{ _create_instances.results }}" - when: matrix_awx_backup_enabled|bool + when: awx_backup_enabled|bool - name: Perform borg backup of postgres dump command: borgmatic -c /root/.config/borgmatic/config_2.yaml - when: matrix_awx_backup_enabled|bool + when: awx_backup_enabled|bool + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook if this task list is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/create_session_token.yml b/roles/matrix-awx/tasks/create_session_token.yml new file mode 100644 index 00000000..9f22a37e --- /dev/null +++ b/roles/matrix-awx/tasks/create_session_token.yml @@ -0,0 +1,10 @@ + +- name: Create a AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: present + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_master_token }}" + register: awx_session_token + no_log: True diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml index 13a30596..fefec426 100755 --- a/roles/matrix-awx/tasks/create_user.yml +++ b/roles/matrix-awx/tasks/create_user.yml @@ -6,26 +6,35 @@ - name: Set admin bool to zero set_fact: - admin_bool: 0 - when: admin_access == 'false' + awx_admin_bool: 0 + when: awx_admin_access == 'false' - name: Examine if server admin set set_fact: - admin_bool: 1 - when: admin_access == 'true' - -- name: Set boolean value to exit playbook - set_fact: - end_playbook: true + awx_admin_bool: 1 + when: awx_admin_access == 'true' - name: Create user account command: | - /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }} - register: cmd + /usr/local/bin/matrix-synapse-register-user {{ awx_new_username | quote }} {{ awx_new_password | quote }} {{ awx_admin_bool }} + register: awx_cmd_output + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + +- name: Set boolean value to exit playbook + set_fact: + awx_end_playbook: true - name: Result - debug: msg="{{ cmd.stdout }}" + debug: msg="{{ awx_cmd_output.stdout }}" - name: End playbook if this task list is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index d4f48f42..c9b96026 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -1,3 +1,4 @@ +--- - name: Enable index.html creation if user doesn't wish to customise base domain delegate_to: 127.0.0.1 @@ -8,7 +9,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' - when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool + when: (awx_customise_base_domain_website is defined) and not awx_customise_base_domain_website|bool - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 @@ -19,7 +20,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' - when: (customise_base_domain_website is defined) and customise_base_domain_website|bool + when: (awx_customise_base_domain_website is defined) and awx_customise_base_domain_website|bool - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -29,9 +30,9 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings Start' with_dict: - 'sftp_auth_method': '"{{ sftp_auth_method }}"' - 'sftp_password': '"{{ sftp_password }}"' - 'sftp_public_key': '"{{ sftp_public_key }}"' + 'awx_sftp_auth_method': '"{{ awx_sftp_auth_method }}"' + 'awx_sftp_password': '"{{ awx_sftp_password }}"' + 'awx_sftp_public_key': '"{{ awx_sftp_public_key }}"' - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -41,8 +42,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings Start' with_dict: - 'customise_base_domain_website': '{{ customise_base_domain_website }}' - when: customise_base_domain_website is defined + 'awx_customise_base_domain_website': '{{ awx_customise_base_domain_website }}' + when: awx_customise_base_domain_website is defined - name: Reload vars in matrix_vars.yml include_vars: @@ -54,35 +55,28 @@ template: src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: './roles/matrix-awx/surveys/access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' - when: customise_base_domain_website is undefined + when: awx_customise_base_domain_website is undefined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' dest: '/matrix/awx/access_export.json' mode: '0660' - when: customise_base_domain_website is undefined - -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True + when: awx_customise_base_domain_website is undefined - name: Recreate 'Configure Website + Access Export' job template delegate_to: 127.0.0.1 @@ -101,10 +95,10 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Recreate 'Access Export' job template delegate_to: 127.0.0.1 @@ -123,12 +117,12 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: customise_base_domain_website is undefined + when: awx_customise_base_domain_website is undefined -- name: If user doesn't define a sftp_password, create a disabled 'sftp' account +- name: If user doesn't define a awx_sftp_password, create a disabled 'sftp' account user: name: sftp comment: SFTP user to set custom web files and access servers export @@ -137,18 +131,18 @@ group: matrix password: '*' update_password: always - when: sftp_password|length == 0 + when: awx_sftp_password|length == 0 -- name: If user defines sftp_password, enable account and set password on 'stfp' account +- name: If user defines awx_sftp_password, enable account and set password on 'stfp' account user: name: sftp comment: SFTP user to set custom web files and access servers export shell: /bin/false home: /home/sftp group: matrix - password: "{{ sftp_password | password_hash('sha512') }}" + password: "{{ awx_sftp_password | password_hash('sha512') }}" update_password: always - when: sftp_password|length > 0 + when: awx_sftp_password|length > 0 - name: Ensure group "sftp" exists group: @@ -160,7 +154,7 @@ name: sftp groups: sftp append: yes - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) file: @@ -177,7 +171,7 @@ owner: matrix group: matrix mode: '0770' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Ensure /chroot/export location exists file: @@ -209,11 +203,11 @@ - name: Insert public SSH key into authorized_keys file lineinfile: path: /home/sftp/.ssh/authorized_keys - line: "{{ sftp_public_key }}" + line: "{{ awx_sftp_public_key }}" owner: sftp group: sftp mode: '0644' - when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") + when: (awx_sftp_public_key | length > 0) and (awx_sftp_auth_method == "SSH Key") - name: Remove any existing Subsystem lines lineinfile: @@ -239,7 +233,7 @@ AllowTcpForwarding no PasswordAuthentication yes AuthorizedKeysFile /home/sftp/.ssh/authorized_keys - when: sftp_auth_method == "Disabled" + when: awx_sftp_auth_method == "Disabled" - name: Add SSH Match User section for password auth blockinfile: @@ -252,7 +246,7 @@ X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes - when: sftp_auth_method == "Password" + when: awx_sftp_auth_method == "Password" - name: Add SSH Match User section for publickey auth blockinfile: @@ -265,7 +259,7 @@ X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /home/sftp/.ssh/authorized_keys - when: sftp_auth_method == "SSH Key" + when: awx_sftp_auth_method == "SSH Key" - name: Restart service ssh.service service: diff --git a/roles/matrix-awx/tasks/delete_session_token.yml b/roles/matrix-awx/tasks/delete_session_token.yml new file mode 100644 index 00000000..a6a52e48 --- /dev/null +++ b/roles/matrix-awx/tasks/delete_session_token.yml @@ -0,0 +1,10 @@ +--- + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" diff --git a/roles/matrix-awx/tasks/export_server.yml b/roles/matrix-awx/tasks/export_server.yml index c70b0beb..d779028e 100644 --- a/roles/matrix-awx/tasks/export_server.yml +++ b/roles/matrix-awx/tasks/export_server.yml @@ -1,21 +1,22 @@ +--- - name: Run export of /matrix/ and snapshot the database simultaneously command: "{{ item }}" with_items: - /bin/sh /usr/local/bin/awx-export-service.sh 1 0 - /bin/sh /usr/local/bin/awx-export-service.sh 0 1 - register: _create_instances + register: awx_create_instances async: 3600 # Maximum runtime in seconds. poll: 0 # Fire and continue (never poll) - name: Wait for both of these jobs to finish async_status: jid: "{{ item.ansible_job_id }}" - register: _jobs - until: _jobs.finished + register: awx_jobs + until: awx_jobs.finished delay: 5 # Check every 5 seconds. retries: 720 # Retry for a full hour. - with_items: "{{ _create_instances.results }}" + with_items: "{{ awx_create_instances.results }}" - name: Schedule deletion of the export in 24 hours at: @@ -24,10 +25,19 @@ units: days unique: yes +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook if this task list is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index d9c3ca6f..b2154c7a 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -1,7 +1,7 @@ +--- - name: Ensure correct ownership of /matrix/awx shell: chown -R matrix:matrix /matrix/awx - name: Ensure correct ownership of /matrix/synapse shell: chown -R matrix:matrix /matrix/synapse - diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml index ea866254..69b2aac8 100644 --- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -1,3 +1,4 @@ +--- - name: Include vars in organisation.yml include_vars: @@ -9,3 +10,7 @@ file: '/var/lib/awx/projects/hosting/hosting_vars.yml' no_log: True +- name: Include AWX master token from awx_tokens.yml + include_vars: + file: /var/lib/awx/projects/hosting/awx_tokens.yml + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index 2a9f9a0d..34754efb 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -1,3 +1,4 @@ +--- - name: Include new vars in matrix_vars.yml include_vars: diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 6e192ce0..ceb697ec 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -17,6 +17,15 @@ tags: - always +# Create AWX session token +- include_tasks: + file: "create_session_token.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Perform a backup of the server - include_tasks: file: "backup_server.yml" @@ -25,7 +34,7 @@ when: run_setup|bool and matrix_awx_enabled|bool tags: - backup-server - + # Perform a export of the server - include_tasks: file: "export_server.yml" @@ -62,6 +71,15 @@ tags: - purge-database +# Rotate SSH key if called +- include_tasks: + file: "rotate_ssh.yml" + apply: + tags: rotate-ssh + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - rotate-ssh + # Import configs, media repo from /chroot/backup import - include_tasks: file: "import_awx.yml" @@ -179,6 +197,15 @@ tags: - setup-synapse-admin +# Delete AWX session token +- include_tasks: + file: "delete_session_token.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Load newly formed matrix variables from AWX volume - include_tasks: file: "load_matrix_variables.yml" diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml index 1ea05b7f..5ca57d22 100644 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ b/roles/matrix-awx/tasks/purge_database_build_list.yml @@ -1,10 +1,11 @@ +--- - name: Collect entire room list into stdout shell: | curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}' - register: rooms_output + register: awx_rooms_output - name: Print stdout to file delegate_to: 127.0.0.1 shell: | - echo '{{ rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json + echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_events.yml b/roles/matrix-awx/tasks/purge_database_events.yml index 9e2ef9c2..aaef3cba 100644 --- a/roles/matrix-awx/tasks/purge_database_events.yml +++ b/roles/matrix-awx/tasks/purge_database_events.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with more then N events shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 76a437e1..c64a54dd 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -1,3 +1,4 @@ +--- - name: Ensure dateutils and curl is installed in AWX delegate_to: 127.0.0.1 @@ -5,34 +6,34 @@ name: dateutils state: latest -- name: Ensure dateutils, curl and jq intalled on target machine +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Ensure curl and jq intalled on target machine apt: pkg: - curl - jq state: present -- name: Include vars in matrix_vars.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - no_log: True - - name: Collect before shrink size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_before_stat - when: (purge_mode.find("Perform final shrink") != -1) + register: awx_db_size_before_stat + when: (awx_purge_mode.find("Perform final shrink") != -1) no_log: True - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: synapse_container_ip + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_synapse_container_ip - name: Collect access token for janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: janitors_token + curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_janitors_token no_log: True - name: Copy build_room_list.py script to target machine @@ -42,114 +43,107 @@ owner: matrix group: matrix mode: '0755' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Run build_room_list.py script shell: | - runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }} - register: rooms_total - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} + register: awx_rooms_total + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Fetch complete room list from target machine fetch: src: /tmp/room_list_complete.json dest: "/tmp/{{ subscription_id }}_room_list_complete.json" flat: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Remove complete room list from target machine file: path: /tmp/room_list_complete.json state: absent - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Generate list of rooms with no local users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Count number of rooms with no local users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }' - register: rooms_no_local_total - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + register: awx_rooms_no_local_total + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) -- name: Setting host fact room_list_no_local_users +- name: Setting host fact awx_room_list_no_local_users set_fact: - room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" + awx_room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" no_log: True - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users - include_tasks: purge_database_no_local.yml - loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}" - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + include_tasks: awx_purge_database_no_local.yml + loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}" + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Collect epoche time from date delegate_to: 127.0.0.1 shell: | - date -d '{{ purge_date }}' +"%s" - when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: purge_epoche_time + date -d '{{ awx_purge_date }}' +"%s" + when: (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_purge_epoche_time - name: Generate list of rooms with more then N users delegate_to: 127.0.0.1 shell: | - jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt - when: purge_mode.find("Number of users [slower]") != -1 + jq 'try .rooms[] | select(.joined_members > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt + when: awx_purge_mode.find("Number of users [slower]") != -1 - name: Count number of rooms with more then N users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }' - register: rooms_join_members_total - when: purge_mode.find("Number of users [slower]") != -1 + register: awx_rooms_join_members_total + when: awx_purge_mode.find("Number of users [slower]") != -1 -- name: Setting host fact room_list_joined_members +- name: Setting host fact awx_room_list_joined_members delegate_to: 127.0.0.1 set_fact: - room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" - when: purge_mode.find("Number of users [slower]") != -1 + awx_room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" + when: awx_purge_mode.find("Number of users [slower]") != -1 no_log: True - name: Purge all rooms with more then N users - include_tasks: purge_database_users.yml - loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}" - when: purge_mode.find("Number of users [slower]") != -1 + include_tasks: awx_purge_database_users.yml + loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}" + when: awx_purge_mode.find("Number of users [slower]") != -1 - name: Generate list of rooms with more then N events delegate_to: 127.0.0.1 shell: | - jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt - when: purge_mode.find("Number of events [slower]") != -1 + jq 'try .rooms[] | select(.state_events > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt + when: awx_purge_mode.find("Number of events [slower]") != -1 - name: Count number of rooms with more then N events delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }' - register: rooms_state_events_total - when: purge_mode.find("Number of events [slower]") != -1 + register: awx_rooms_state_events_total + when: awx_purge_mode.find("Number of events [slower]") != -1 -- name: Setting host fact room_list_state_events +- name: Setting host fact awx_room_list_state_events delegate_to: 127.0.0.1 set_fact: - room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" - when: purge_mode.find("Number of events [slower]") != -1 + awx_room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" + when: awx_purge_mode.find("Number of events [slower]") != -1 no_log: True - name: Purge all rooms with more then N events - include_tasks: purge_database_events.yml - loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" - when: purge_mode.find("Number of events [slower]") != -1 - -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True + include_tasks: awx_purge_database_events.yml + loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}" + when: awx_purge_mode.find("Number of events [slower]") != -1 - name: Adjust 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -165,20 +159,20 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Execute rust-synapse-compress-state job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" wait: yes - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Revert 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -194,28 +188,28 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Ensure matrix-synapse is stopped service: name: matrix-synapse state: stopped daemon_reload: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Re-index Synapse database shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse' - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Ensure matrix-synapse is started service: name: matrix-synapse state: started daemon_reload: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Adjust 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -231,20 +225,20 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Execute run-postgres-vacuum job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" wait: yes - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Revert 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -260,58 +254,67 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Cleanup room_list files delegate_to: 127.0.0.1 shell: | rm /tmp/{{ subscription_id }}_room_list* - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) ignore_errors: yes - name: Collect after shrink size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_after_stat - when: (purge_mode.find("Perform final shrink") != -1) + register: awx_db_size_after_stat + when: (awx_purge_mode.find("Perform final shrink") != -1) no_log: True - name: Print total number of rooms processed debug: - msg: '{{ rooms_total.stdout }}' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + msg: '{{ awx_rooms_total.stdout }}' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with no local users debug: - msg: '{{ rooms_no_local_total.stdout }}' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + msg: '{{ awx_rooms_no_local_total.stdout }}' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with more then N users debug: - msg: '{{ rooms_join_members_total.stdout }}' - when: purge_mode.find("Number of users") != -1 + msg: '{{ awx_rooms_join_members_total.stdout }}' + when: awx_purge_mode.find("Number of users") != -1 - name: Print the number of rooms purged with more then N events debug: - msg: '{{ rooms_state_events_total.stdout }}' - when: purge_mode.find("Number of events") != -1 + msg: '{{ awx_rooms_state_events_total.stdout }}' + when: awx_purge_mode.find("Number of events") != -1 - name: Print before purge size of Synapse database debug: - msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1) + msg: "{{ awx_db_size_before_stat.stdout.split('\n') }}" + when: ( awx_db_size_before_stat is defined ) and ( awx_purge_mode.find("Perform final shrink" ) != -1 ) - name: Print after purge size of Synapse database debug: - msg: "{{ db_size_after_stat.stdout.split('\n') }}" - when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1) + msg: "{{ awx_db_size_after_stat.stdout.split('\n') }}" + when: (awx_db_size_after_stat is defined) and (awx_purge_mode.find("Perform final shrink") != -1) + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook early if this task is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_database_no_local.yml b/roles/matrix-awx/tasks/purge_database_no_local.yml index d94fd007..33f99c49 100644 --- a/roles/matrix-awx/tasks/purge_database_no_local.yml +++ b/roles/matrix-awx/tasks/purge_database_no_local.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with no local users shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_database_users.yml b/roles/matrix-awx/tasks/purge_database_users.yml index 302dffd8..1c8da14d 100644 --- a/roles/matrix-awx/tasks/purge_database_users.yml +++ b/roles/matrix-awx/tasks/purge_database_users.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with more then N users shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index b07c32ea..2074d5d8 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -1,17 +1,18 @@ +--- - name: Collect epoche time from date shell: | date -d '{{ item }}' +"%s" - register: epoche_time + register: awx_epoche_time - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}000' - register: purge_command + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 84e73a8b..9c5f6bfb 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -1,5 +1,5 @@ -- name: Ensure dateutils and curl is installed in AWX +- name: Ensure dateutils is installed in AWX delegate_to: 127.0.0.1 yum: name: dateutils @@ -19,81 +19,90 @@ - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" - register: synapse_container_ip + register: awx_synapse_container_ip - name: Collect access token for janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' - register: janitors_token + curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + register: awx_janitors_token no_log: True - name: Generate list of dates to purge to delegate_to: 127.0.0.1 shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" - register: purge_dates + register: awx_purge_dates - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_before - when: matrix_purge_media_type == "Local Media" + register: awx_local_media_size_before + when: awx_purge_media_type == "Local Media" ignore_errors: yes no_log: True - name: Calculate initial size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_before - when: matrix_purge_media_type == "Remote Media" + register: awx_remote_media_size_before + when: awx_purge_media_type == "Remote Media" ignore_errors: yes no_log: True - name: Purge local media with loop include_tasks: purge_media_local.yml - loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" - when: matrix_purge_media_type == "Local Media" + loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" + when: awx_purge_media_type == "Local Media" - name: Purge remote media with loop include_tasks: purge_media_remote.yml - loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" - when: matrix_purge_media_type == "Remote Media" + loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" + when: awx_purge_media_type == "Remote Media" - name: Calculate final size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_after - when: matrix_purge_media_type == "Local Media" + register: awx_local_media_size_after + when: awx_purge_media_type == "Local Media" ignore_errors: yes no_log: True - name: Calculate final size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_after - when: matrix_purge_media_type == "Remote Media" + register: awx_remote_media_size_after + when: awx_purge_media_type == "Remote Media" ignore_errors: yes no_log: True - name: Print size of local media repository before purge debug: - msg: "{{ local_media_size_before.stdout.split('\n') }}" - when: matrix_purge_media_type == "Local Media" + msg: "{{ awx_local_media_size_before.stdout.split('\n') }}" + when: awx_purge_media_type == "Local Media" - name: Print size of local media repository after purge debug: - msg: "{{ local_media_size_after.stdout.split('\n') }}" - when: matrix_purge_media_type == "Local Media" + msg: "{{ awx_local_media_size_after.stdout.split('\n') }}" + when: awx_purge_media_type == "Local Media" - name: Print size of remote media repository before purge debug: - msg: "{{ remote_media_size_before.stdout.split('\n') }}" - when: matrix_purge_media_type == "Remote Media" + msg: "{{ awx_remote_media_size_before.stdout.split('\n') }}" + when: awx_purge_media_type == "Remote Media" - name: Print size of remote media repository after purge debug: - msg: "{{ remote_media_size_after.stdout.split('\n') }}" - when: matrix_purge_media_type == "Remote Media" + msg: "{{ awx_remote_media_size_after.stdout.split('\n') }}" + when: awx_purge_media_type == "Remote Media" + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook early if this task is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index c2f75c81..1418d9a6 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -1,17 +1,18 @@ +--- - name: Collect epoche time from date shell: | date -d '{{ item }}' +"%s" - register: epoche_time + register: awx_epoche_time - name: Purge remote media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}000' - register: purge_command + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml index e8992bd8..e664325f 100644 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ b/roles/matrix-awx/tasks/rename_variables.yml @@ -1,3 +1,4 @@ +--- - name: Rename synapse presence variable delegate_to: 127.0.0.1 @@ -5,4 +6,3 @@ path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" regexp: 'matrix_synapse_use_presence' replace: 'matrix_synapse_presence_enabled' - diff --git a/roles/matrix-awx/tasks/rotate_ssh.yml b/roles/matrix-awx/tasks/rotate_ssh.yml new file mode 100644 index 00000000..9596f504 --- /dev/null +++ b/roles/matrix-awx/tasks/rotate_ssh.yml @@ -0,0 +1,25 @@ +--- + +- name: Set the new authorized key taken from file + authorized_key: + user: root + state: present + exclusive: yes + key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}" + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index edf6b8b3..510b9f9e 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -1,3 +1,4 @@ +--- - name: Install prerequisite apt packages on target apt: @@ -23,83 +24,83 @@ - name: Calculate MAU value shell: | curl -s localhost:9000 | grep "^synapse_admin_mau_current " - register: mau_stat + register: awx_mau_stat no_log: True -- name: Print MAU value - debug: - msg: "{{ mau_stat.stdout.split('\n') }}" - when: mau_stat is defined - - name: Calculate CPU usage statistics shell: iostat -c - register: cpu_usage_stat + register: awx_cpu_usage_stat no_log: True -- name: Print CPU usage statistics - debug: - msg: "{{ cpu_usage_stat.stdout.split('\n') }}" - when: cpu_usage_stat is defined - - name: Calculate RAM usage statistics shell: free -mh - register: ram_usage_stat + register: awx_ram_usage_stat no_log: True -- name: Print RAM usage statistics - debug: - msg: "{{ ram_usage_stat.stdout.split('\n') }}" - when: ram_usage_stat is defined - - name: Calculate free disk space shell: df -h - register: disk_space_stat + register: awx_disk_space_stat no_log: True -- name: Print free disk space - debug: - msg: "{{ disk_space_stat.stdout.split('\n') }}" - when: disk_space_stat is defined - - name: Calculate size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_stat + register: awx_db_size_stat no_log: True -- name: Print size of Synapse database - debug: - msg: "{{ db_size_stat.stdout.split('\n') }}" - when: db_size_stat is defined - - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_stat + register: awx_local_media_size_stat ignore_errors: yes no_log: True -- name: Print size of local media repository - debug: - msg: "{{ local_media_size_stat.stdout.split('\n') }}" - when: local_media_size_stat is defined - - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_stat + register: awx_remote_media_size_stat ignore_errors: yes no_log: True -- name: Print size of remote media repository - debug: - msg: "{{ remote_media_size_stat.stdout.split('\n') }}" - when: remote_media_size_stat is defined - - name: Calculate docker container statistics shell: docker stats --all --no-stream - register: docker_stats + register: awx_docker_stats ignore_errors: yes no_log: True +- name: Print size of remote media repository + debug: + msg: "{{ awx_remote_media_size_stat.stdout.split('\n') }}" + when: awx_remote_media_size_stat is defined + +- name: Print size of local media repository + debug: + msg: "{{ awx_local_media_size_stat.stdout.split('\n') }}" + when: awx_local_media_size_stat is defined + +- name: Print size of Synapse database + debug: + msg: "{{ awx_db_size_stat.stdout.split('\n') }}" + when: awx_db_size_stat is defined + +- name: Print free disk space + debug: + msg: "{{ awx_disk_space_stat.stdout.split('\n') }}" + when: awx_disk_space_stat is defined + +- name: Print RAM usage statistics + debug: + msg: "{{ awx_ram_usage_stat.stdout.split('\n') }}" + when: awx_ram_usage_stat is defined + +- name: Print CPU usage statistics + debug: + msg: "{{ awx_cpu_usage_stat.stdout.split('\n') }}" + when: awx_cpu_usage_stat is defined + +- name: Print MAU value + debug: + msg: "{{ awx_mau_stat.stdout.split('\n') }}" + when: awx_mau_stat is defined + - name: Print docker container statistics debug: - msg: "{{ docker_stats.stdout.split('\n') }}" - when: docker_stats is defined + msg: "{{ awx_docker_stats.stdout.split('\n') }}" + when: awx_docker_stats is defined diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index 6ae187c7..3558f717 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -1,3 +1,4 @@ +--- - name: Record Corporal Enabled/Disabled variable delegate_to: 127.0.0.1 @@ -62,7 +63,7 @@ insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'false' - when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) + when: (awx_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) - name: Enable Corporal API if Push/Pull mode delected delegate_to: 127.0.0.1 @@ -73,7 +74,7 @@ insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'true' - when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) + when: (awx_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) - name: Record Corporal API Access Token if it's defined delegate_to: 127.0.0.1 @@ -83,8 +84,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Corporal Settings Start' with_dict: - 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' - when: matrix_corporal_http_api_auth_token|length > 0 + 'awx_corporal_http_api_auth_token': '{{ awx_corporal_http_api_auth_token }}' + when: awx_corporal_http_api_auth_token|length > 0 - name: Record 'Simple Static File' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 @@ -97,7 +98,7 @@ "Type": "static_file", "Path": "/etc/matrix-corporal/corporal-policy.json" } - when: matrix_corporal_policy_provider_mode == "Simple Static File" + when: awx_corporal_policy_provider_mode == "Simple Static File" - name: Touch the /matrix/corporal/ directory file: @@ -141,12 +142,12 @@ - name: Record 'Simple Static File' configuration content in corporal-policy.json copy: - content: "{{ matrix_corporal_simple_static_config | string }}" + content: "{{ awx_corporal_simple_static_config | string }}" dest: "/matrix/corporal/config/corporal-policy.json" owner: matrix group: matrix mode: '660' - when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0) + when: (awx_corporal_policy_provider_mode == "Simple Static File") and (awx_corporal_simple_static_config|length > 0) - name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 @@ -157,13 +158,13 @@ matrix_corporal_policy_provider_config: | { "Type": "http", - "Uri": "{{ matrix_corporal_pull_mode_uri }}", - "AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}", + "Uri": "{{ awx_corporal_pull_mode_uri }}", + "AuthorizationBearerToken": "{{ awx_corporal_pull_mode_token }}", "CachePath": "/var/cache/matrix-corporal/last-policy.json", "ReloadIntervalSeconds": 1800, "TimeoutMilliseconds": 30000 } - when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0) + when: (awx_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (awx_corporal_pull_mode_token|length > 0) - name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 @@ -176,7 +177,7 @@ "Type": "last_seen_store_policy", "CachePath": "/var/cache/matrix-corporal/last-policy.json" } - when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") + when: (awx_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") - name: Lower RateLimit if set to 'Normal' delegate_to: 127.0.0.1 @@ -184,7 +185,7 @@ path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' - when: matrix_corporal_raise_ratelimits == "Normal" + when: awx_corporal_raise_ratelimits == "Normal" - name: Raise RateLimit if set to 'Raised' delegate_to: 127.0.0.1 @@ -192,7 +193,7 @@ path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' - when: matrix_corporal_raise_ratelimits == "Raised" + when: awx_corporal_raise_ratelimits == "Raised" - name: Save new 'Configure Corporal' survey.json to the AWX tower delegate_to: 127.0.0.1 @@ -218,13 +219,6 @@ - debug: msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Corporal (Advanced)' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -242,6 +236,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 53a4dbfc..d5e51c6b 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -1,3 +1,4 @@ +--- - name: Include vars in matrix_vars.yml include_vars: @@ -13,8 +14,8 @@ - name: Collect access token of Dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ matrix_awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' - register: dimension_user_access_token + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 @@ -25,17 +26,17 @@ insertafter: '# Dimension Settings Start' with_dict: 'matrix_dimension_enabled': '{{ matrix_dimension_enabled }}' - 'matrix_dimension_access_token': '"{{ dimension_user_access_token.stdout }}"' + 'matrix_dimension_access_token': '"{{ awx_dimension_user_access_token.stdout }}"' - name: Set final users list if users are defined set_fact: - ext_dimension_users_raw_final: "{{ ext_dimension_users_raw }}" - when: ext_dimension_users_raw|length > 0 + awx_dimension_users_final: "{{ awx_dimension_users }}" + when: awx_dimension_users | length > 0 - name: Set final users list if no users are defined set_fact: - ext_dimension_users_raw_final: '@dimension:{{ matrix_domain }}' - when: ext_dimension_users_raw|length == 0 + awx_dimension_users_final: '@dimension:{{ matrix_domain }}' + when: awx_dimension_users | length == 0 - name: Remove Dimension Users delegate_to: 127.0.0.1 @@ -58,7 +59,7 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^matrix_dimension_admins:' line: ' - "{{ item }}"' - with_items: "{{ ext_dimension_users_raw_final.splitlines() }}" + with_items: "{{ awx_dimension_users_final.splitlines() }}" - name: Record Dimension Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -66,9 +67,9 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings Start' + insertbefore: '# Dimension Settings End' with_dict: - 'ext_dimension_users_raw': '{{ ext_dimension_users_raw.splitlines() | to_json }}' + 'awx_dimension_users': '{{ awx_dimension_users.splitlines() | to_json }}' - name: Save new 'Configure Dimension' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -82,13 +83,6 @@ dest: '/matrix/awx/configure_dimension.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Dimension' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -106,6 +100,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index 29aac37f..491c91b3 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -1,3 +1,4 @@ +--- - name: Record Element-Web variables locally on AWX delegate_to: 127.0.0.1 @@ -8,25 +9,142 @@ insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}' - 'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}' - 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' + 'matrix_client_element_jitsi_preferredDomain': 'jitsi.{{ matrix_domain }}' 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' + 'matrix_client_element_brand': '{{ matrix_client_element_brand | trim }}' + 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}' + 'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo | trim }}' + 'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link | trim }}' + +- name: Record Element-Web custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertbefore: '# Element Settings End' + with_dict: + 'awx_matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline | trim }}' + 'awx_matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text | trim }}' + +- name: Set Element-Web custom branding locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_brand': "{{ matrix_client_element_brand }}" + when: matrix_client_element_brand | trim | length > 0 + +- name: Remove Element-Web custom branding locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_brand: " + state: absent + when: matrix_client_element_brand | trim | length == 0 - name: Set fact for 'https' string set_fact: awx_https_string: "https" -- name: Record Element-Web Background variable locally on AWX +- name: Set Element-Web custom logo locally on AWX if defined delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" - line: "{{ item.key }}: {{ item.value }}" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo }}' + when: ( awx_https_string in matrix_client_element_welcome_logo ) and ( matrix_client_element_welcome_logo | trim | length > 0 ) + +- name: Remove Element-Web custom logo locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_logo: " + state: absent + when: matrix_client_element_welcome_logo | trim | length == 0 + +- name: Set Element-Web custom logo link locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link }}' + when: ( awx_https_string in matrix_client_element_welcome_logo_link ) and ( matrix_client_element_welcome_logo_link | trim | length > 0 ) + +- name: Remove Element-Web custom logo link locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_logo_link: " + state: absent + when: matrix_client_element_welcome_logo_link | trim | length == 0 + +- name: Set Element-Web custom headline locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline }}' + when: awx_matrix_client_element_welcome_headline | trim | length > 0 + +- name: Remove Element-Web custom headline locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_headline: " + state: absent + when: awx_matrix_client_element_welcome_headline | trim | length == 0 + +- name: Set Element-Web custom text locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text }}' + when: awx_matrix_client_element_welcome_text | trim | length > 0 + +- name: Remove Element-Web custom text locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_text: " + state: absent + when: awx_matrix_client_element_welcome_text | trim | length == 0 + +- name: Set Element-Web background locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}' - when: (awx_https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) + when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length > 0 + +- name: Remove Element-Web background locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_branding_welcomeBackgroundUrl: " + state: absent + when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length == 0 - name: Save new 'Configure Element' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -40,13 +158,6 @@ dest: '/matrix/awx/configure_element.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Element' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -64,6 +175,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml index 87259d0f..9e47be16 100644 --- a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml +++ b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml @@ -1,3 +1,4 @@ +--- - name: Record Element-Web variables locally on AWX delegate_to: 127.0.0.1 @@ -7,7 +8,7 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Element Settings Start' with_dict: - 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + 'matrix_server_fqn_element': "{{ awx_element_subdomain | trim }}.{{ matrix_domain }}" - name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -21,13 +22,6 @@ dest: '/matrix/awx/configure_element_subdomain.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Element Subdomain' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -44,6 +38,6 @@ survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml index 9c610685..2e8f1f8e 100755 --- a/roles/matrix-awx/tasks/set_variables_jitsi.yml +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -1,3 +1,4 @@ +--- - name: Record Jitsi variables locally on AWX delegate_to: 127.0.0.1 @@ -8,7 +9,7 @@ insertafter: '# Jitsi Settings Start' with_dict: 'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}' - 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}' + 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage | trim }}' - name: Save new 'Configure Jitsi' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -22,13 +23,6 @@ dest: '/matrix/awx/configure_jitsi.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Jitsi' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -46,6 +40,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 50aea14c..0f4234f1 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -1,3 +1,4 @@ +--- - name: Record ma1sd variables locally on AWX delegate_to: 127.0.0.1 @@ -17,8 +18,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Extension Start' with_dict: - 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' - when: ext_matrix_ma1sd_auth_store == 'Synapse Internal' + 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'false' + when: awx_matrix_ma1sd_auth_store == 'Synapse Internal' - name: Enable REST auth if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 @@ -28,9 +29,9 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Extension Start' with_dict: - 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' - 'matrix_synapse_ext_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"' - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true' + 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"' + when: awx_matrix_ma1sd_auth_store == 'LDAP/AD' - name: Remove entire ma1sd configuration extension delegate_to: 127.0.0.1 @@ -53,7 +54,7 @@ path: '{{ awx_cached_matrix_vars }}' marker: "# {mark} ma1sd ANSIBLE MANAGED BLOCK" insertafter: '# Start ma1sd Extension' - block: '{{ ext_matrix_ma1sd_configuration_extension_yaml }}' + block: '{{ awx_matrix_ma1sd_configuration_extension_yaml }}' - name: Record ma1sd Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -61,10 +62,10 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertbefore: '# Custom Settings Start' + insertbefore: '# ma1sd Settings End' with_dict: - 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' - 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + 'awx_matrix_ma1sd_auth_store': '{{ awx_matrix_ma1sd_auth_store }}' + 'awx_matrix_ma1sd_configuration_extension_yaml': '{{ awx_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' no_log: True - name: Save new 'Configure ma1sd' survey.json to the AWX tower, template @@ -79,13 +80,6 @@ dest: '/matrix/awx/configure_ma1sd.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure ma1sd (Advanced)' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -103,7 +97,7 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_mailer.yml b/roles/matrix-awx/tasks/set_variables_mailer.yml index 924454d6..2ae2d513 100644 --- a/roles/matrix-awx/tasks/set_variables_mailer.yml +++ b/roles/matrix-awx/tasks/set_variables_mailer.yml @@ -1,3 +1,4 @@ +--- - name: Record Mailer variables locally on AWX delegate_to: 127.0.0.1 @@ -21,13 +22,6 @@ dest: '/matrix/awx/configure_email_relay.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Email Relay' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -45,6 +39,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index 53d78081..df6b2798 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -2,12 +2,12 @@ - name: Limit max upload size to 200MB part 1 set_fact: matrix_synapse_max_upload_size_mb: "200" - when: matrix_synapse_max_upload_size_mb_raw|int >= 200 + when: awx_synapse_max_upload_size_mb | int >= 200 - name: Limit max upload size to 200MB part 2 set_fact: - matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}" - when: matrix_synapse_max_upload_size_mb_raw|int < 200 + matrix_synapse_max_upload_size_mb: "{{ awx_synapse_max_upload_size_mb }}" + when: awx_synapse_max_upload_size_mb | int < 200 - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 @@ -32,13 +32,13 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^matrix_synapse_auto_join_rooms: .*$" replace: "matrix_synapse_auto_join_rooms: []" - when: matrix_synapse_auto_join_rooms_raw|length == 0 + when: awx_synapse_auto_join_rooms | length == 0 - name: If the raw inputs is not empty start constructing parsed auto_join_rooms list set_fact: - matrix_synapse_auto_join_rooms_array: |- - {{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }} - when: matrix_synapse_auto_join_rooms_raw|length > 0 + awx_synapse_auto_join_rooms_array: |- + {{ awx_synapse_auto_join_rooms.splitlines() | to_json }} + when: awx_synapse_auto_join_rooms|length > 0 - name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank delegate_to: 127.0.0.1 @@ -48,8 +48,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}" - when: matrix_synapse_auto_join_rooms_raw|length > 0 + "matrix_synapse_auto_join_rooms": "{{ awx_synapse_auto_join_rooms_array }}" + when: awx_synapse_auto_join_rooms|length > 0 - name: Record Synapse Shared Secret if it's defined delegate_to: 127.0.0.1 @@ -59,8 +59,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - 'matrix_synapse_registration_shared_secret': '{{ ext_matrix_synapse_registration_shared_secret }}' - when: ext_matrix_synapse_registration_shared_secret|length > 0 + 'matrix_synapse_registration_shared_secret': '{{ awx_matrix_synapse_registration_shared_secret }}' + when: awx_matrix_synapse_registration_shared_secret | length > 0 - name: Record registations_require_3pid extra variable if true delegate_to: 127.0.0.1 @@ -72,7 +72,7 @@ with_items: - " registrations_require_3pid:" - " - email" - when: ext_registrations_require_3pid|bool + when: awx_registrations_require_3pid | bool - name: Remove registrations_require_3pid extra variable if false delegate_to: 127.0.0.1 @@ -85,7 +85,7 @@ with_items: - " registrations_require_3pid:" - " - email" - when: not ext_registrations_require_3pid|bool + when: not awx_registrations_require_3pid | bool - name: Remove URL Languages delegate_to: 127.0.0.1 @@ -97,21 +97,21 @@ - name: Set URL languages default if raw inputs empty set_fact: - ext_url_preview_accept_language_default: 'en' - when: ext_url_preview_accept_language_raw|length == 0 + awx_url_preview_accept_language_default: 'en' + when: awx_url_preview_accept_language | length == 0 - name: Set URL languages default if raw inputs not empty set_fact: - ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}" - when: ext_url_preview_accept_language_raw|length > 0 + awx_url_preview_accept_language_default: "{{ awx_url_preview_accept_language }}" + when: awx_url_preview_accept_language|length > 0 - name: Set URL languages if raw inputs empty delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' - line: " - {{ ext_url_preview_accept_language_default }}" - when: ext_url_preview_accept_language_raw|length == 0 + line: " - {{ awx_url_preview_accept_language_default }}" + when: awx_url_preview_accept_language|length == 0 - name: Set URL languages if raw inputs not empty delegate_to: 127.0.0.1 @@ -119,8 +119,8 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' line: " - {{ item }}" - with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}" - when: ext_url_preview_accept_language_raw|length > 0 + with_items: "{{ awx_url_preview_accept_language.splitlines() }}" + when: awx_url_preview_accept_language | length > 0 - name: Remove Federation Whitelisting 1 delegate_to: 127.0.0.1 @@ -143,7 +143,7 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^matrix_synapse_configuration_extension_yaml: \|' line: " federation_domain_whitelist:" - when: ext_federation_whitelist_raw|length > 0 + when: awx_federation_whitelist | length > 0 - name: Set Federation Whitelisting 2 delegate_to: 127.0.0.1 @@ -151,16 +151,16 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^ federation_domain_whitelist:' line: " - {{ item }}" - with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" - when: ext_federation_whitelist_raw|length > 0 + with_items: "{{ awx_federation_whitelist.splitlines() }}" + when: awx_federation_whitelist | length > 0 -- name: Set ext_recaptcha_public_key to a 'public-key' if undefined - set_fact: ext_recaptcha_public_key="public-key" - when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0) +- name: Set awx_recaptcha_public_key to a 'public-key' if undefined + set_fact: awx_recaptcha_public_key="public-key" + when: (awx_recaptcha_public_key is not defined) or (awx_recaptcha_public_key|length == 0) -- name: Set ext_recaptcha_private_key to a 'private-key' if undefined - set_fact: ext_recaptcha_private_key="private-key" - when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0) +- name: Set awx_recaptcha_private_key to a 'private-key' if undefined + set_fact: awx_recaptcha_private_key="private-key" + when: (awx_recaptcha_private_key is not defined) or (awx_recaptcha_private_key|length == 0) - name: Record Synapse Extension variables locally on AWX delegate_to: 127.0.0.1 @@ -170,9 +170,9 @@ line: "{{ item.key }}: {{ item.value }}" insertbefore: '# Synapse Extension End' with_dict: - ' enable_registration_captcha': '{{ ext_enable_registration_captcha }}' - ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' - ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' + ' enable_registration_captcha': '{{ awx_enable_registration_captcha }}' + ' recaptcha_public_key': '{{ awx_recaptcha_public_key }}' + ' recaptcha_private_key': '{{ awx_recaptcha_private_key }}' - name: Record Synapse Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -180,13 +180,13 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings Start' + insertbefore: '# Synapse Settings End' with_dict: - 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' - 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' - 'ext_enable_registration_captcha': '{{ ext_enable_registration_captcha }}' - 'ext_recaptcha_public_key': '"{{ ext_recaptcha_public_key }}"' - 'ext_recaptcha_private_key': '"{{ ext_recaptcha_private_key }}"' + 'awx_federation_whitelist': '{{ awx_federation_whitelist.splitlines() | to_json }}' + 'awx_url_preview_accept_language_default': '{{ awx_url_preview_accept_language_default.splitlines() | to_json }}' + 'awx_enable_registration_captcha': '{{ awx_enable_registration_captcha }}' + 'awx_recaptcha_public_key': '"{{ awx_recaptcha_public_key }}"' + 'awx_recaptcha_private_key': '"{{ awx_recaptcha_private_key }}"' - name: Save new 'Configure Synapse' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -200,13 +200,6 @@ dest: '/matrix/awx/configure_synapse.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Synapse' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -224,6 +217,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml index fa922de4..635befb5 100644 --- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -1,3 +1,4 @@ +--- - name: Record Synapse Admin variables locally on AWX delegate_to: 127.0.0.1 @@ -21,13 +22,6 @@ dest: '/matrix/awx/configure_synapse_admin.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Synapse Admin' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -45,6 +39,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 31bff105..4ce06433 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_sh: "/usr/bin/env sh" -matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else 'ntp' }}" -matrix_ntpd_service: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}" +matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') else 'ntp' }}" +matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 3814305d..d08cafc0 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,7 +4,6 @@ pacman: name: - python-docker - - "{{ matrix_ntpd_package }}" # TODO This needs to be verified. Which version do we need? - fuse3 - python-dnspython diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 1d1038af..6e7331c4 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v0.1.19" +matrix_bot_mjolnir_version: "v1.1.20" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 0cfe56a4..35432aa0 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.30.0 +matrix_appservice_irc_version: release-0.31.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index bb801273..10b3d7b4 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_slack_container_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_version: release-1.5.0 +matrix_appservice_slack_version: release-1.8.0 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 7f26ea58..2b9fe310 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -3,13 +3,20 @@ matrix_appservice_webhooks_enabled: true +matrix_appservice_webhooks_container_image_self_build: false +matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks" +matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" + matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" +matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src" # If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789") matrix_appservice_webhooks_public_endpoint: /appservice-webhooks diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 9ddc121a..1b276efc 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -1,23 +1,47 @@ --- -- name: Ensure Appservice webhooks image is pulled - docker_image: - name: "{{ matrix_appservice_webhooks_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" - - name: Ensure AppService webhooks paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_appservice_webhooks_base_path }}" - - "{{ matrix_appservice_webhooks_config_path }}" - - "{{ matrix_appservice_webhooks_data_path }}" + - { path: "{{ matrix_appservice_webhooks_base_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_config_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_data_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"} + when: "item.when|bool" + +- name: Ensure Appservice webhooks image is pulled + docker_image: + name: "{{ matrix_appservice_webhooks_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" + when: "not matrix_appservice_webhooks_container_image_self_build|bool" + +- block: + - name: Ensure Appservice webhooks repository is present on self-build + git: + repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}" + dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}" + version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}" + force: "yes" + register: matrix_appservice_webhooks_git_pull_results + + - name: Ensure Appservice webhooks Docker image is built + docker_image: + name: "{{ matrix_appservice_webhooks_docker_image }}" + source: build + force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}" + build: + dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}" + path: "{{ matrix_appservice_webhooks_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_webhooks_container_image_self_build|bool" - name: Ensure Matrix Appservice webhooks config is installed copy: diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index ff3243cd..8df6c38f 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -3,7 +3,7 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.0 +matrix_beeper_linkedin_version: v0.5.1 # See: https://gitlab.com/beeper/linkedin/container_registry matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 275a4ffb..2f9380df 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.1.0 +matrix_heisenbridge_version: 1.2.1 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml new file mode 100644 index 00000000..22f863ff --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -0,0 +1,115 @@ +# mautrix-googlechat is a Matrix <-> googlechat bridge +# See: https://github.com/mautrix/googlechat + +matrix_mautrix_googlechat_enabled: true + +matrix_mautrix_googlechat_container_image_self_build: false +matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" + +matrix_mautrix_googlechat_version: latest +# See: https://mau.dev/mautrix/googlechat/container_registry +matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" +matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_googlechat_docker_image_force_pull: "{{ matrix_mautrix_googlechat_docker_image.endswith(':latest') }}" + +matrix_mautrix_googlechat_base_path: "{{ matrix_base_data_path }}/mautrix-googlechat" +matrix_mautrix_googlechat_config_path: "{{ matrix_mautrix_googlechat_base_path }}/config" +matrix_mautrix_googlechat_data_path: "{{ matrix_mautrix_googlechat_base_path }}/data" +matrix_mautrix_googlechat_docker_src_files_path: "{{ matrix_mautrix_googlechat_base_path }}/docker-src" + +matrix_mautrix_googlechat_public_endpoint: '/mautrix-googlechat' + +matrix_mautrix_googlechat_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_googlechat_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_googlechat_appservice_address: 'http://matrix-mautrix-googlechat:8080' + +# Controls whether the matrix-mautrix-googlechat container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9007"), or empty string to not expose. +matrix_mautrix_googlechat_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_mautrix_googlechat_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-googlechat.service depends on. +matrix_mautrix_googlechat_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-googlechat.service wants +matrix_mautrix_googlechat_systemd_wanted_services_list: [] + +matrix_mautrix_googlechat_appservice_token: '' +matrix_mautrix_googlechat_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +matrix_mautrix_googlechat_database_engine: 'sqlite' + +matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" +matrix_mautrix_googlechat_sqlite_database_path_in_container: "/data/mautrix-googlechat.db" + +matrix_mautrix_googlechat_database_username: 'matrix_mautrix_googlechat' +matrix_mautrix_googlechat_database_password: 'some-password' +matrix_mautrix_googlechat_database_hostname: 'matrix-postgres' +matrix_mautrix_googlechat_database_port: 5432 +matrix_mautrix_googlechat_database_name: 'matrix_mautrix_googlechat' + +matrix_mautrix_googlechat_database_connection_string: 'postgres://{{ matrix_mautrix_googlechat_database_username }}:{{ matrix_mautrix_googlechat_database_password }}@{{ matrix_mautrix_googlechat_database_hostname }}:{{ matrix_mautrix_googlechat_database_port }}/{{ matrix_mautrix_googlechat_database_name }}' + +matrix_mautrix_googlechat_appservice_database: "{{ + { + 'sqlite': ('sqlite:///' + matrix_mautrix_googlechat_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_googlechat_database_connection_string, + }[matrix_mautrix_googlechat_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_googlechat_login_shared_secret: '' + +matrix_mautrix_googlechat_appservice_bot_username: googlechatbot + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_googlechat_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_googlechat_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_googlechat_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_googlechat_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_googlechat_configuration_yaml`. + +matrix_mautrix_googlechat_configuration_extension: "{{ matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml if matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_googlechat_configuration_yaml`. +matrix_mautrix_googlechat_configuration: "{{ matrix_mautrix_googlechat_configuration_yaml|from_yaml|combine(matrix_mautrix_googlechat_configuration_extension, recursive=True) }}" + +matrix_mautrix_googlechat_registration_yaml: | + id: googlechat + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@googlechat_.+:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_googlechat_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_googlechat_appservice_address }} + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_googlechat_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml new file mode 100644 index 00000000..c12fcd3c --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -0,0 +1,69 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_googlechat_container_image_self_build and matrix_mautrix_googlechat_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-googlechat.service'] }}" + when: matrix_mautrix_googlechat_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-googlechat-registration.yaml"] }} + when: matrix_mautrix_googlechat_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_googlechat_public_endpoint }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-googlechat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } + - name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_mautrix_googlechat_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` + URL endpoint to the matrix-mautrix-googlechat container. + You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. + when: "matrix_mautrix_googlechat_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml new file mode 100644 index 00000000..defcd58a --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml new file mode 100644 index 00000000..f68ee505 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -0,0 +1,128 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-googlechat role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_googlechat_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + register: matrix_mautrix_googlechat_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_googlechat_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_googlechat_requires_restart: true + when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_googlechat_database_engine == 'postgres'" + +- name: Ensure Mautrix googlechat image is pulled + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_googlechat_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_docker_image_force_pull }}" + when: not matrix_mautrix_googlechat_container_image_self_build + +- name: Ensure Mautrix googlechat paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_googlechat_base_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_config_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_data_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}", when: "{{ matrix_mautrix_googlechat_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Mautrix Hangots repository is present on self build + git: + repo: "{{ matrix_mautrix_googlechat_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_googlechat_git_pull_results + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Ensure Mautrix googlechat Docker image is built + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_googlechat_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" + register: matrix_mautrix_googlechat_stat_database + +- name: (Data relocation) Ensure matrix-mautrix-googlechat.service is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-googlechat database file to ./data directory + command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: Ensure mautrix-googlechat config.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-googlechat registration.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-googlechat.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-googlechat.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + mode: 0644 + register: matrix_mautrix_googlechat_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-googlechat.service restarted, if necessary + service: + name: "matrix-mautrix-googlechat.service" + state: restarted + when: "matrix_mautrix_googlechat_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml new file mode 100644 index 00000000..d3adb7e2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-googlechat service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + register: matrix_mautrix_googlechat_service_stat + +- name: Ensure matrix-mautrix-googlechat is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-googlechat.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + state: absent + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml new file mode 100644 index 00000000..7aa42870 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml @@ -0,0 +1,14 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_googlechat_public_endpoint" + - "matrix_mautrix_googlechat_appservice_token" + - "matrix_mautrix_googlechat_homeserver_token" +- debug: + msg: + - '`matrix_mautrix_googlechat_homeserver_domain` == {{ matrix_mautrix_googlechat_homeserver_domain }}' diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 new file mode 100644 index 00000000..c54ffac2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -0,0 +1,145 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_googlechat_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_googlechat_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_googlechat_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: {{ matrix_mautrix_googlechat_appservice_database|to_json }} + + # The unique ID of this appservice. + id: googlechat + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_googlechat_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: googlechat bridge bot + bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for googlechat users. + # {userid} is replaced with the user ID of the googlechat user. + username_template: "googlechat_{userid}" + # Displayname template for googlechat users. + # {displayname} is replaced with the display name of the googlechat user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{full_name} (googlechat)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!HO" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the googlechat users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your googlechat account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_googlechat_login_shared_secret|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Public website and API configs + web: + # Auth server config + auth: + # Publicly accessible base URL for the login endpoints. + # The prefix below is not implicitly added. This URL and all subpaths should be proxied + # or otherwise pointed to the appservice's webserver to the path specified below (prefix). + # This path should usually include a trailing slash. + # Internal prefix in the appservice web server for the login endpoints. + public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_googlechat_public_endpoint }}/login" + prefix: "{{ matrix_mautrix_googlechat_public_endpoint }}/login" + + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_googlechat_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_googlechat.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + hangups: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 new file mode 100644 index 00000000..c56473be --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix googlechat bridge +{% for service in matrix_mautrix_googlechat_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_googlechat_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-googlechat \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_googlechat_container_http_host_bind_port %} + -p {{ matrix_mautrix_googlechat_container_http_host_bind_port }}:8080 \ + {% endif %} + -v {{ matrix_mautrix_googlechat_config_path }}:/config:z \ + -v {{ matrix_mautrix_googlechat_data_path }}:/data:z \ + {% for arg in matrix_mautrix_googlechat_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_googlechat_docker_image }} \ + python3 -m mautrix_googlechat -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-googlechat + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 87a24bf6..7409fb4d 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -3,14 +3,20 @@ matrix_mautrix_whatsapp_enabled: true +matrix_mautrix_whatsapp_container_image_self_build: false +matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" +matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" + matrix_mautrix_whatsapp_version: latest # See: https://mau.dev/mautrix/whatsapp/container_registry -matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" +matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" +matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config" matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data" +matrix_mautrix_whatsapp_docker_src_files_path: "{{ matrix_mautrix_whatsapp_base_path }}/docker-src" matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}" diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 9691a58f..f3dd0570 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -35,24 +35,49 @@ when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_whatsapp_database_engine == 'postgres'" -- name: Ensure Mautrix Whatsapp image is pulled - docker_image: - name: "{{ matrix_mautrix_whatsapp_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_whatsapp_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_whatsapp_docker_image_force_pull }}" - name: Ensure Mautrix Whatsapp paths exists file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_mautrix_whatsapp_base_path }}" - - "{{ matrix_mautrix_whatsapp_config_path }}" - - "{{ matrix_mautrix_whatsapp_data_path }}" + - { path: "{{ matrix_mautrix_whatsapp_base_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_config_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_data_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}", when: "{{ matrix_mautrix_whatsapp_container_image_self_build }}" } + when: item.when|bool + +- name: Ensure Mautrix Whatsapp image is pulled + docker_image: + name: "{{ matrix_mautrix_whatsapp_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_whatsapp_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_whatsapp_docker_image_force_pull }}" + when: not matrix_mautrix_whatsapp_container_image_self_build + +- name: Ensure Mautrix Whatsapp repository is present on self-build + git: + repo: "{{ matrix_mautrix_whatsapp_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}" + version: "{{ matrix_mautrix_whatsapp_container_image_self_build_branch }}" + force: "yes" + register: matrix_mautrix_whatsapp_git_pull_results + when: "matrix_mautrix_whatsapp_container_image_self_build|bool" + +- name: Ensure Mautrix Whatsapp Docker image is built + docker_image: + name: "{{ matrix_mautrix_whatsapp_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_whatsapp_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_whatsapp_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_whatsapp_container_image_self_build|bool" - name: Check if an old database file exists stat: diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 62bb47db..e2540315 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.8.5 +matrix_client_element_version: v1.9.0 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index b934104b..8175267d 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -2,9 +2,9 @@ - name: Create user account @janitor command: | - /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1 register: cmd - when: not matrix_awx_janitor_user_created|bool + when: not awx_janitor_user_created|bool no_log: True - name: Update AWX janitor user created variable @@ -15,14 +15,14 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_janitor_user_created': 'true' - when: not matrix_awx_janitor_user_created|bool + 'awx_janitor_user_created': 'true' + when: not awx_janitor_user_created|bool - name: Create user account @dimension command: | - /usr/local/bin/matrix-synapse-register-user dimension {{ matrix_awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0 register: cmd - when: not matrix_awx_dimension_user_created|bool + when: not awx_dimension_user_created|bool no_log: True - name: Update AWX dimension user created variable @@ -33,14 +33,14 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_dimension_user_created': 'true' - when: not matrix_awx_dimension_user_created|bool + 'awx_dimension_user_created': 'true' + when: not awx_dimension_user_created|bool - name: Create user account @mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd - when: not matrix_awx_mjolnir_user_created|bool + when: not awx_mjolnir_user_created|bool no_log: True - name: Update AWX dimension user created variable @@ -51,8 +51,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_mjolnir_user_created': 'true' - when: not matrix_awx_mjolnir_user_created|bool + 'awx_mjolnir_user_created': 'true' + when: not awx_mjolnir_user_created|bool - name: Ensure /chroot/website location has correct permissions file: @@ -61,4 +61,4 @@ owner: matrix group: matrix mode: '0770' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 081d4c23..5b8f5ef6 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -15,7 +15,7 @@ - name: Generate Etherpad proxying configuration for matrix-nginx-proxy set_fact: matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; location {{ matrix_etherpad_public_endpoint }}/ { {% if matrix_nginx_proxy_enabled|default(False) %} @@ -27,7 +27,7 @@ proxy_http_version 1.1; # recommended with keepalive connections proxy_pass_header Server; proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index b8909e24..8df73e2d 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.1.3 +matrix_grafana_version: 8.1.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5d9db145..88ebd7cd 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -40,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: [] # - services are served directly from the HTTP vhost matrix_nginx_proxy_https_enabled: true +# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header +# +# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead. +matrix_nginx_proxy_trust_forwarded_proto: false +matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}" + # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. @@ -177,6 +183,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809 # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false +# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately. +# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here. +# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/` +# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/" matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. @@ -426,7 +436,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.19.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index d9a05926..1ea4a344 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -88,7 +88,7 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem; {% endif %} {% if matrix_nginx_proxy_ssl_session_tickets_off %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 04a77269..b6506b43 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,13 +20,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; location /.well-known/matrix { @@ -59,7 +59,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -77,7 +77,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -112,7 +112,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -137,7 +137,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -152,7 +152,7 @@ #} location ~* ^/$ { {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} - return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; + return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; {% else %} rewrite ^/$ /_matrix/static/ last; {% endif %} @@ -215,12 +215,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } @@ -262,7 +262,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} @@ -283,7 +283,7 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 0ccda7d3..86d95453 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -71,7 +71,7 @@ proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } {% endmacro %} @@ -128,7 +128,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index d5760434..9c4af1d9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -29,7 +29,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} @@ -85,7 +85,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8439241a..53b1c0f4 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -22,7 +22,8 @@ matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }} matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" +matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' diff --git a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml index 9032c15e..a7e94a0c 100644 --- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml +++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml @@ -54,3 +54,8 @@ set_fact: matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" + +- name: Determine corresponding Docker image to detected version (use 13.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}" + when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 32a35c7d..5ab93910 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -22,8 +22,8 @@ - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy set_fact: matrix_registration_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent; - rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect; + rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; + rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { {% if matrix_nginx_proxy_enabled|default(False) %} diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 9e171015..e1912871 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -22,7 +22,7 @@ - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy set_fact: matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { {% if matrix_nginx_proxy_enabled|default(False) %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5adc779d..460483e0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.42.0 -matrix_synapse_version_arm64: v1.42.0 +matrix_synapse_version: v1.44.0 +matrix_synapse_version_arm64: v1.44.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3fb6b9e8..0f5a19a1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -357,6 +357,24 @@ update_user_directory: false daemonize: false {% endif %} +# Connection settings for the manhole +# +manhole_settings: + # The username for the manhole. This defaults to 'matrix'. + # + #username: manhole + + # The password for the manhole. This defaults to 'rabbithole'. + # + #password: mypassword + + # The private and public SSH key pair used to encrypt the manhole traffic. + # If these are left unset, then hardcoded and non-secret keys are used, + # which could allow traffic to be intercepted if sent over a public network. + # + #ssh_priv_key_path: /data/id_rsa + #ssh_pub_key_path: /data/id_rsa.pub + # Forward extremities can build up in a room due to networking delays between # homeservers. Once this happens in a large room, calculation of the state of # that room can become quite expensive. To mitigate this, once the number of @@ -2258,7 +2276,7 @@ password_config: # #require_lowercase: true - # Whether a password must contain at least one lowercase letter. + # Whether a password must contain at least one uppercase letter. # Defaults to 'false'. # #require_uppercase: true @@ -2594,12 +2612,16 @@ user_directory: #enabled: false # Defines whether to search all users visible to your HS when searching - # the user directory, rather than limiting to users visible in public - # rooms. Defaults to false. - # - # If you set it true, you'll have to rebuild the user_directory search - # indexes, see: - # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md + # the user directory. If false, search results will only contain users + # visible in public rooms and users sharing a room with the requester. + # Defaults to false. + # + # NB. If you set this to true, and the last time the user_directory search + # indexes were (re)built was before Synapse 1.44, you'll have to + # rebuild the indexes in order to search through all known users. + # These indexes are built the first time Synapse starts; admins can + # manually trigger a rebuild following the instructions at + # https://matrix-org.github.io/synapse/latest/user_directory.html # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 8153372a..049ae9b5 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -32,6 +32,8 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/user/devices/ - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query + - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ + - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -43,6 +45,9 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ + - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ + - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|unstable)/devices$ - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ diff --git a/setup.yml b/setup.yml index 21d67f1a..42613d96 100755 --- a/setup.yml +++ b/setup.yml @@ -21,6 +21,7 @@ - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram - matrix-bridge-mautrix-signal - matrix-bridge-mautrix-telegram @@ -56,4 +57,4 @@ - matrix-aux - matrix-postgres-backup - matrix-prometheus-postgres-exporter - - matrix-common-after \ No newline at end of file + - matrix-common-after