jowj
/
matrix-docker-ansible-deploy
forked from mirrors/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
master
josiah 4 years ago
parent c292c56ab2 65e22a6888
commit c0bb6c260b
67 changed files with 1317 additions and 231 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -3,3 +3,4 @@
!/inventory/host_vars/.gitkeep
!/inventory/scripts
/roles/*/files/scratchpad
.DS_Store

20
CHANGELOG.md
Unescape View File

@ -1,3 +1,21 @@
# 2020-09-01
## matrix-registration support
The playbook can now help you set up [matrix-registration](https://github.com/ZerataX/matrix-registration) - an application that lets you keep your Matrix server's registration private, but still allow certain users (those having a unique registration link) to register by themselves.
See our [Setting up matrix-registration](docs/configuring-playbook-matrix-registration.md) documentation page to get started.
# 2020-08-21
## rust-synapse-compress-state support
The playbook can now help you use [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) to compress the state groups in your Synapse database.
See our [Compressing state with rust-synapse-compress-state](docs/maintenance-synapse.md#compressing-state-with-rust-synapse-compress-state) documentation page to get started.
# 2020-07-22
## Synapse Admin support
@ -78,7 +96,7 @@ To reuse your existing rooms, invite `@smsbot:yourServer` to the room or write a
Thanks to [benkuly](https://github.com/benkuly)'s efforts, the playbook now supports bridging to SMS (with one telephone number only) via [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge).
See our [Setting up Matrix SMS bridging](docs/configuring-playbook-matrix-bridge-sms.md) documentation page for getting started.
See our [Setting up Matrix SMS bridging](docs/configuring-playbook-bridge-matrix-bridge-sms.md) documentation page for getting started.
# 2020-05-19

26
README.md
Unescape View File

@ -56,21 +56,23 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation
- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation
- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation
- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation
- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS
- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation
- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms
- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation
- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients
- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation
- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform
- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation
- (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
@ -87,7 +89,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
- this one installs and hooks together **a lot more Matrix-related services** for you (see above)
- this one **can be re-ran many times** without causing trouble
- this one **can be executed more than once** without causing trouble
- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux**
@ -140,6 +142,8 @@ This playbook sets up your server using the following Docker images:
- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional)
- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)
- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional)
- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional)
@ -162,15 +166,15 @@ This playbook sets up your server using the following Docker images:
- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional)
- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional)
- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional)
- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional)
- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https://slack.com) (optional)
- [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) - the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge to [Instagram](https://www.instagram.com) (optional)
- [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional)
- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https:/discordapp.com) (optional)
- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https://discordapp.com) (optional)
- [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional)

2
docs/configuring-playbook-bridge-appservice-discord.md
Unescape View File

@ -23,7 +23,7 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
```
4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`)
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.

0
docs/configuring-playbook-matrix-bridge-sms.md → docs/configuring-playbook-bridge-matrix-bridge-sms.md
Unescape View File

2
docs/configuring-playbook-client-element.md
Unescape View File

@ -6,7 +6,7 @@ If that's okay, you can skip this document.
## Disabling Element
If you'd like for the playbook to not install (or to uninstall the previously installed Element), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
If you'd like for the playbook to not install Element (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_client_element_enabled: false

15
docs/configuring-playbook-dimension.md
Unescape View File

@ -37,7 +37,9 @@ We recommend that you create a dedicated Matrix user for Dimension (`dimension`
Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.
You are required to specify an access token (belonging to this new user) for Dimension to work.
To get an access token for the Dimension user, follow these steps:
To get an access token for the Dimension user, you can follow one of two options:
*Through an interactive login*:
1. In a private browsing session (incognito window), open Element.
2. Log in with the `dimension` user and its password.
@ -46,6 +48,17 @@ To get an access token for the Dimension user, follow these steps:
3. Copy the highlighted text to your configuration.
4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
*With CURL*
```
curl -X POST --header 'Content-Type: application/json' -d '{
"identifier": { "type": "m.id.user", "user": "YourDimensionUsername" },
"password": "YourDimensionPassword",
"type": "m.login.password"
}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
```
*Change the "YourDimensionUser/Pass" URL accordigly*
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
Add access token to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

18
docs/configuring-playbook-jitsi.md
Unescape View File

@ -56,11 +56,19 @@ The default authentication mode of Jitsi is `internal`, however LDAP is also sup
```yaml
matrix_jitsi_enable_auth: true
matrix_jitsi_auth_type: ldap
matrix_jitsi_ldap_url: ldap://ldap.DOMAIN # or ldaps:// if using tls
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
matrix_jitsi_ldap_use_tls: false
matrix_jitsi_ldap_start_tls: true
matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN
#matrix_jitsi_ldap_binddn: ""
#matrix_jitsi_ldap_bindpw: ""
matrix_jitsi_ldap_filter: "uid=%u"
matrix_jitsi_ldap_auth_method: "bind"
matrix_jitsi_ldap_version: "3"
matrix_jitsi_ldap_use_tls: true
matrix_jitsi_ldap_tls_ciphers: ""
matrix_jitsi_ldap_tls_check_peer: true
matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
matrix_jitsi_ldap_start_tls: false
```
For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.

11
docs/configuring-playbook-ma1sd.md
Unescape View File

@ -6,6 +6,17 @@ This server is private by default, potentially at the expense of user discoverab
ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
## Disabling ma1sd
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
If you'd like for the playbook to not install ma1sd (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_ma1sd_enabled: false
```
## Matrix.org lookup forwarding
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).

6
docs/configuring-playbook-matrix-corporal.md
Unescape View File

@ -15,9 +15,15 @@ If you decide that you'd like to let this playbook install it for you, you'd nee
## Playbook configuration
You would then need some configuration like this:
```yaml
# The Shared Secret Auth password provider module is required for Corporal to work.
# See configuring-playbook-shared-secret-auth.md
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
matrix_corporal_enabled: true
matrix_corporal_policy_provider_config: |

53
docs/configuring-playbook-matrix-registration.md
Unescape View File

@ -0,0 +1,53 @@
# Setting up matrix-registration (optional)
The playbook can install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration) for you.
> matrix-registration is a simple python application to have a token based matrix registration.
Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows you to **keep your server's registration closed (private)**, but still allow certain people (these having a special link) to register a user account.
**matrix-registration** provides 2 things:
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration`
## Installing
Adjust your playbook configuration (your `inventory/host_vars/matrix.DOMAIN/vars.yml` file):
```yaml
matrix_registration_enabled: true
# Generate a strong secret using: `pwgen -s 64 1`.
matrix_registration_admin_secret: "ENTER_SOME_SECRET_HERE"
```
Then, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration`
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
We make the most common API (the one for creating unique registration tokens) easy to use via the playbook.
**To create a new user registration token (link)**, use this command:
```
ansible-playbook -i inventory/hosts setup.yml \
--tags=generate-matrix-registration-token \
--extra-vars="one_time=yes ex_date=2021-12-31"
```
The above command creates and returns a **one-time use** token, which **expires** on the 31st of December 2021.
Adjust the `one_time` and `ex_date` variables as you see fit.
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.

6
docs/configuring-playbook-ssl-certificates.md
Unescape View File

@ -3,7 +3,7 @@
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.<your-domain>` and possibly `element.<your-domain>`)
Those certificates are used when configuring the nginx reverse proxy installed by this playbook.
They can also be used for configuring [your own webserver](docs/configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below.
@ -13,7 +13,7 @@ Things discussed in this document:
- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server
- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](docs/configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically
@ -28,6 +28,8 @@ If self-signed certificates are alright with you, you can ask the playbook to ge
matrix_ssl_retrieval_method: self-signed
```
If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.<your-domain>` in your browser and agree to the certificate exception before you can login.
## Using your own SSL certificates

2
docs/configuring-playbook-telemetry.md
Unescape View File

@ -10,7 +10,7 @@ growth of the Matrix community, and helps to make Matrix a success.
## Enabling Telemetry
If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
If you'd like to **help by enabling submission of general usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_synapse_report_stats: true

4
docs/configuring-playbook.md
Unescape View File

@ -70,6 +70,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
- [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional)
- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced)
- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced)
@ -113,7 +115,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
- [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional)
- [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional)
### Bots

5
docs/maintenance-postgres.md
Unescape View File

@ -22,6 +22,8 @@ If you are using an [external Postgres server](configuring-playbook-external-pos
## Vacuuming PostgreSQL
Deleting lots data from Postgres does not make it release disk space, until you perform a `VACUUM` operation.
To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sql-vacuum.html), run the playbook with `--tags=run-postgres-vacuum`.
Example:
@ -40,9 +42,10 @@ To make a back up of the current PostgreSQL database, make sure it's running and
```bash
docker run \
--rm \
--log-driver=none \
--network=matrix \
--env-file=/matrix/postgres/env-postgres-psql \
postgres:12.1-alpine \
postgres:12.4-alpine \
pg_dumpall -h matrix-postgres \
| gzip -c \
> /postgres.sql.gz

73
docs/maintenance-synapse.md
Unescape View File

@ -9,75 +9,74 @@ Table of contents:
- [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database
- [Synapse maintenance](#synapse-maintenance)
- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor)
- [Vacuuming Postgres](#vacuuming-postgres)
- [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api)
- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state)
- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor)
- [Browse and manipulate the database](#browse-and-manipulate-the-database)
- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands
## Purging unused data with synapse-janitor
**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it.
## Purging old data with the Purge History API
When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't.
This **unused and unreachable data** remains in your database forever.
You can use the **Purge History API** to delete in-use (but old) data.
There are external tools (like [synapse-janitor](https://github.com/xwiki-labs/synapse_scripts)), which are meant to solve this problem.
**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
To ask the playbook to run synapse-janitor, execute:
Synapse's [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) can be used to purge on a per-room basis.
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janitor,start
```
To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
Alternatively, you can log in and obtain a new access token like this:
**Note**: this will automatically stop Synapse temporarily and restart it later.
```
curl \
--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Synapse-Purge-History-API"}' \
https://matrix.DOMAIN/_matrix/client/r0/login
```
Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
### Vacuuming Postgres
After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
Running synapse-janitor potentially deletes a lot of data from the Postgres database.
However, disk space only ever gets released after a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
It's easiest if you ask the playbook to run both synapse-janitor and a `VACUUM FULL` in one call:
## Compressing state with rust-synapse-compress-state
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janitor,run-postgres-vacuum,start
```
[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse.
**Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`).
This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
To ask the playbook to run rust-synapse-compress-state, execute:
## Purging old data with the Purge History API
```
ansible-playbook -i inventory/hosts setup.yml --tags=rust-synapse-compress-state
```
If [purging unused and unreachable data](#purging-unused-data-with-synapse-janitor) is not enough for you, you can start deleting in-use (but old) data.
By default, all rooms with more than `100000` state group rows will be compressed.
If you need to adjust this, pass: `--extra-vars='matrix_synapse_rust_synapse_compress_state_min_state_groups_required=SOME_NUMBER_HERE'` to the command above.
**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
Synapse provides a [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) that you can use to purge on a per-room basis.
To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
Alternatively, you can log in and obtain a new access token like this:
## Purging unused data with synapse-janitor
```
curl \
--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Synapse-Purge-History-API"}' \
https://matrix.DOMAIN/_matrix/client/r0/login
```
**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it.
Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't.
This **unused and unreachable data** remains in your database forever.
Don't forget that disk space only ever gets released after a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql) - something the playbook can help you with.
There are external tools (like [synapse-janitor](https://github.com/xwiki-labs/synapse_scripts)), which are meant to solve this problem.
To ask the playbook to run synapse-janitor, execute:
## Compressing state with rust-synapse-compress-state
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janitor,start
```
[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse.
**Note**: this will automatically stop Synapse temporarily and restart it later.
Unfortunately, at this time the playbook can't help you run this **experimental tool**.
Running synapse-janitor potentially deletes a lot of data from the Postgres database.
You may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql) after that.
Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
## Browse and manipulate the database

44
docs/registering-users.md
Unescape View File

@ -1,6 +1,18 @@
# Registering users
Run this to create a new user account on your Matrix server.
This documentation page tells you how to create user account on your Matrix server.
Table of contents:
- [Registering users](#registering-users)
- [Registering users manually](#registering-users-manually)
- [Managing users via a Web UI](#managing-users-via-a-web-ui)
- [Letting certain users register on your private server](#letting-certain-users-register-on-your-private-server)
- [Enabling public user registration](#enabling-public-user-registration)
- [Adding/Removing Administrator privileges to an existing user](#addingremoving-administrator-privileges-to-an-existing-user)
## Registering users manually
You can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):
@ -22,10 +34,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-usern
If you've just installed Matrix, **to finalize the installation process**, it's best if you proceed to [Configuring service discovery via .well-known](configuring-well-known.md)
-----
## Managing users via a Web UI
To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).
## Letting certain users register on your private server
If you'd rather **keep your server private** (public registration closed, as is the default), and **let certain people create accounts by themselves** (instead of creating user accounts manually like this), consider installing and making use of [matrix-registration](configuring-playbook-matrix-registration.md).
## Adding/Removing Administrator privileges to an existing user.
## Enabling public user registration
To **open up user registration publicly** (usually **not recommended**), consider using the following configuration:
```yaml
matrix_synapse_enable_registration: true
```
and running the [installation](installing.md) procedure once again.
If you're opening up registrations publicly like this, you might also wish to [configure CAPTCHA protection](configuring-captcha.md).
## Adding/Removing Administrator privileges to an existing user
The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges.
@ -35,8 +68,3 @@ The script `/usr/local/bin/matrix-change-user-admin-status` may be used to chang
```
/usr/local/bin/matrix-change-user-admin-status <username> <0/1>
```
## Managing users via a Web UI
To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).

2
docs/self-building.md
Unescape View File

@ -11,7 +11,9 @@ To make use of self-building, you don't need to do anything besides change your
Note that **not all components support self-building yet**.
List of roles where self-building the Docker image is currently possible:
- `matrix-synapse`
- `matrix-synapse-admin`
- `matrix-client-element`
- `matrix-registration`
- `matrix-coturn`
- `matrix-ma1sd`
- `matrix-mailer`

156
examples/caddy2/Caddyfile
Unescape View File

@ -0,0 +1,156 @@
matrix.DOMAIN.tld {
tls {$CADDY_TLS}
@identity {
path /_matrix/identity/*
}
@noidentity {
not path /_matrix/identity/*
}
@search {
path /_matrix/client/r0/user_directory/search/*
}
@nosearch {
not path /_matrix/client/r0/user_directory/search/*
}
@static {
path /matrix/static-files/*
}
@nostatic {
not path /matrix/static-files/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
167,9 79%
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
# identity
handle @identity {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
# search
handle @search {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
handle {
encode zstd gzip
reverse_proxy localhost:8008 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
matrix.DOMAIN.tld:8448 {
handle {
encode zstd gzip
reverse_proxy 127.0.0.1:8048 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
dimension.DOMAIN.tld {
tls {$CADDY_TLS}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle {
encode zstd gzip
reverse_proxy localhost:8184 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
element.DOMAIN.tld {
tls {$CADDY_TLS}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle {
encode zstd gzip
reverse_proxy localhost:8765 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}

3
examples/host-vars.yml
Unescape View File

@ -4,6 +4,9 @@
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE

44
group_vars/matrix_servers
Unescape View File

@ -16,7 +16,7 @@
#
######################################################################
matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"
matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}"
matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
@ -737,7 +737,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_ma1sd_systemd_wanted_services_list: |
{{
@ -799,7 +799,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_nginx_proxy_systemd_wanted_services_list: |
{{
@ -890,7 +890,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r
matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}"
@ -921,9 +921,6 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
# When ma1sd is enabled, we can use it instead of the default public Identity servers.
matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}"
# When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
@ -988,7 +985,7 @@ matrix_synapse_turn_uris: |
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_synapse_systemd_required_services_list: |
{{
@ -1032,3 +1029,34 @@ matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy
# /matrix-synapse-admin
#
######################################################################
######################################################################
#
# matrix-registration
#
######################################################################
matrix_registration_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-registration's HTTP port to the local host.
matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}"
matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}"
matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}"
matrix_registration_server_location: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}"
matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
######################################################################
#
# /matrix-registration
#
######################################################################

3
roles/matrix-base/defaults/main.yml
Unescape View File

@ -85,7 +85,7 @@ matrix_vars_yml_snapshotting_src: "{{ inventory_dir }}/host_vars/{{ inventory_ho
matrix_well_known_matrix_server_enabled: true
# Controls whether Docker is automatically installed.
# If you change this to false you must install and update Docker manually.
# If you change this to false you must install and update Docker manually. You also need to install the docker (https://pypi.org/project/docker/) Python package.
matrix_docker_installation_enabled: true
# Controls the Docker package that is installed.
@ -101,6 +101,7 @@ run_postgres_vacuum: true
run_synapse_register_user: true
run_synapse_update_user_password: true
run_synapse_import_media_store: true
run_synapse_rust_synapse_compress_state: true
run_setup: true
run_self_check: true
run_start: true

23
roles/matrix-base/tasks/server_base/setup.yml
Unescape View File

@ -3,11 +3,26 @@
- include_tasks: "{{ role_path }}/tasks/server_base/setup_centos.yml"
when: ansible_distribution == 'CentOS'
- include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian')
- block:
# ansible_lsb is only available if lsb-release is installed.
- name: Ensure lsb-release installed
apt:
name:
- lsb-release
state: present
update_cache: yes
register: lsb_release_installation_result
- include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian')
- name: Reread ansible_lsb facts if lsb-release got installed
setup: filter=ansible_lsb*
when: lsb_release_installation_result.changed
- include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian')
- include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian')
when: ansible_os_family == 'Debian'
- include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml"
when: ansible_distribution == 'Archlinux'

2
roles/matrix-base/tasks/server_base/setup_debian.yml
Unescape View File

@ -5,7 +5,7 @@
name:
- apt-transport-https
- ca-certificates
- gpg
- gnupg
state: present
update_cache: yes

2
roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
Unescape View File

@ -3,7 +3,7 @@
matrix_bot_matrix_reminder_bot_enabled: true
matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-0.1.0"
matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-v0.2.0"
matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"

2
roles/matrix-bridge-appservice-slack/defaults/main.yml
Unescape View File

@ -3,7 +3,7 @@
matrix_appservice_slack_enabled: true
matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair"
matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.5.0"
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"

2
roles/matrix-bridge-mautrix-telegram/defaults/main.yml
Unescape View File

@ -4,7 +4,7 @@
matrix_mautrix_telegram_enabled: true
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.1"
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.2"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

2
roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
Unescape View File

@ -1,6 +1,6 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix mx-puppet-instagram bridge
Description=Matrix Mx Puppet Instagram server
{% for service in matrix_mx_puppet_instagram_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}

4
roles/matrix-bridge-sms/defaults/main.yml
Unescape View File

@ -3,7 +3,7 @@
matrix_sms_bridge_enabled: true
matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.1.RELEASE"
matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.2.RELEASE"
matrix_sms_bridge_database_docker_image: "neo4j:latest"
matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}"
@ -149,4 +149,4 @@ matrix_sms_bridge_registration_yaml: |
sender_localpart: smsbot
rate_limited: false
matrix_sms_bridge_registration: "{{ matrix_sms_bridge_registration_yaml|from_yaml }}"
matrix_sms_bridge_registration: "{{ matrix_sms_bridge_registration_yaml|from_yaml }}"

2
roles/matrix-client-element/defaults/main.yml
Unescape View File

@ -2,7 +2,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.1"
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.7"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"

6
roles/matrix-common-after/tasks/dump_runtime_results.yml
Unescape View File

@ -0,0 +1,6 @@
# Ansible outputs the message in the `item=` field.
# It's unnecessary to output it again in the actual message, so we don't.
- debug:
msg: ""
with_items: "{{ matrix_playbook_runtime_results }}"
when: "matrix_playbook_runtime_results is defined and matrix_playbook_runtime_results|length > 0"

4
roles/matrix-common-after/tasks/main.yml
Unescape View File

@ -7,3 +7,7 @@
when: run_stop|bool
tags:
- stop
- import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml"
tags:
- always

8
roles/matrix-common-after/tasks/start.yml
Unescape View File

@ -1,21 +1,23 @@
---
- name: Ensure systemd reloaded
- name: Ensure systemd is reloaded
service:
daemon_reload: yes
- name: Ensure Matrix services stopped
- name: Ensure Matrix services are stopped
service:
name: "{{ item }}"
state: stopped
with_items: "{{ matrix_systemd_services_list }}"
when: not ansible_check_mode
- name: Ensure Matrix services started
- name: Ensure Matrix services are started
service:
name: "{{ item }}"
enabled: yes
state: started
with_items: "{{ matrix_systemd_services_list }}"
when: not ansible_check_mode
# If we check service state immediately, we may succeed,
# because it takes some time for the service to attempt to start and actually fail.

18
roles/matrix-coturn/tasks/setup_coturn.yml
Unescape View File

@ -91,15 +91,10 @@
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
cron:
user: root
cron_file: matrix-coturn-ssl-reload
name: matrix-coturn-ssl-reload
state: present
hour: "4"
minute: "20"
day: "*/5"
job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service"
template:
src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2"
dest: /etc/cron.d/matrix-coturn-ssl-reload
mode: 0644
when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
@ -108,9 +103,8 @@
#
- name: Ensure matrix-coturn-ssl-reload cronjob removed
cron:
user: root
cron_file: matrix-coturn-ssl-reload
file:
path: /etc/cron.d/matrix-coturn-ssl-reload
state: absent
when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool"

1
roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2
Unescape View File

@ -0,0 +1 @@
20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service

2
roles/matrix-dimension/defaults/main.yml
Unescape View File

@ -27,7 +27,7 @@ matrix_dimension_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_dimension_container_extra_arguments: []
matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"

2
roles/matrix-jitsi/defaults/main.yml
Unescape View File

@ -49,6 +49,8 @@ matrix_jitsi_jibri_xmpp_password: ''
matrix_jitsi_jibri_recorder_user: recorder
matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_container_image_tag: "stable-4857"
matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}"

2
roles/matrix-jitsi/templates/prosody/env.j2
Unescape View File

@ -42,4 +42,6 @@ JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }}
TZ={{ matrix_jitsi_timezone }}

3
roles/matrix-ma1sd/defaults/main.yml
Unescape View File

@ -83,6 +83,9 @@ matrix_ma1sd_verbose_logging: false
matrix_ma1sd_v1_enabled: true
matrix_ma1sd_v2_enabled: true
# Fix for missing 3PIDS bug
matrix_ma1sd_hashing_enabled: true
# Default ma1sd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

13
roles/matrix-ma1sd/templates/ma1sd.yaml.j2
Unescape View File

@ -63,6 +63,19 @@ threepid:
{% endif %}
{% endif %}
{% if matrix_ma1sd_hashing_enabled %}
hashing:
enabled: true # enable or disable the hash lookup MSC2140 (default is false)
pepperLength: 20 # length of the pepper value (default is 20)
rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
hashStorageType: sql # or `in_memory` where the hashes will be stored
algorithms:
- none # the same as v1 bulk lookup
- sha256 # hash the 3PID and pepper.
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
requests: 10
{% endif %}
synapseSql:
enabled: {{ matrix_ma1sd_synapsesql_enabled }}
type: {{ matrix_ma1sd_synapsesql_type }}

4
roles/matrix-nginx-proxy/defaults/main.yml
Unescape View File

@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "nginx:1.19.1-alpine"
matrix_nginx_proxy_docker_image: "nginx:1.19.2-alpine"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@ -227,7 +227,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.6.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.7.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~

52
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
Unescape View File

@ -55,37 +55,11 @@
mode: 0750
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- block:
- name: Ensure periodic SSL renewal cronjob configured (MAILTO)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
env: yes
name: MAILTO
value: "{{ matrix_ssl_lets_encrypt_support_email }}"
- name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-ssl-lets-encrypt-certificates-renew
state: present
hour: "4"
minute: "15"
day: "*"
job: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
- name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-nginx-proxy-reload
state: present
hour: "5"
minute: "20"
day: "*"
job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service"
when: matrix_nginx_proxy_enabled|bool
- name: Ensure periodic SSL renewal cronjob configured
template:
src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2"
dest: /etc/cron.d/matrix-ssl-lets-encrypt
mode: 0644
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
@ -93,21 +67,9 @@
# Tasks related to getting rid of Let's Encrypt's management of certificates
#
# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
# Other cronjobs can potentially remain there (see below).
- name: Ensure matrix-nginx-proxy-reload cronjob removed
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-nginx-proxy-reload
state: absent
when: "not matrix_nginx_proxy_enabled|bool"
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
cron:
user: root
cron_file: matrix-ssl-lets-encrypt
name: matrix-ssl-lets-encrypt-certificates-renew
file:
path: /etc/cron.d/matrix-ssl-lets-encrypt
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

5
roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2
Unescape View File

@ -0,0 +1,5 @@
MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
{% if matrix_nginx_proxy_enabled %}
20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
{% endif %}

1
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
Unescape View File

@ -5,7 +5,6 @@
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

8
roles/matrix-postgres/defaults/main.yml
Unescape View File

@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine"
matrix_postgres_docker_image_v10: "postgres:10.13-alpine"
matrix_postgres_docker_image_v11: "postgres:11.8-alpine"
matrix_postgres_docker_image_v12: "postgres:12.3-alpine"
matrix_postgres_docker_image_v9: "postgres:9.6.19-alpine"
matrix_postgres_docker_image_v10: "postgres:10.14-alpine"
matrix_postgres_docker_image_v11: "postgres:11.9-alpine"
matrix_postgres_docker_image_v12: "postgres:12.4-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"
# This variable is assigned at runtime. Overriding its value has no effect.

1
roles/matrix-postgres/tasks/import_postgres.yml
Unescape View File

@ -64,6 +64,7 @@
set_fact:
matrix_postgres_import_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
--log-driver=none
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}

1
roles/matrix-postgres/tasks/import_sqlite_db.yml
Unescape View File

@ -74,6 +74,7 @@
docker run
--rm
--name=matrix-synapse-migrate
--log-driver=none
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}

13
roles/matrix-postgres/tasks/setup_postgres.yml
Unescape View File

@ -18,9 +18,16 @@
matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}"
when: matrix_postgres_enabled|bool
- name: Warn if on an old version of Postgres
debug:
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
- name: Inject warning if on an old version of Postgres
set_fact:
matrix_playbook_runtime_results: |
{{
matrix_playbook_runtime_results|default([])
+
[
"NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
]
}}
when: "matrix_postgres_enabled|bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
# Even if we don't run the internal server, we still need this for running the CLI

2
roles/matrix-postgres/tasks/upgrade_postgres.yml
Unescape View File

@ -80,6 +80,7 @@
- name: Perform Postgres database dump
command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump
--log-driver=none
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
@ -124,6 +125,7 @@
set_fact:
matrix_postgres_import_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
--log-driver=none
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}

83
roles/matrix-registration/defaults/main.yml
Unescape View File

@ -0,0 +1,83 @@
# matrix-registration is a simple python application to have a token based matrix registration
# See: https://zeratax.github.io/matrix-registration/
matrix_registration_enabled: true
matrix_registration_container_image_self_build: false
matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration"
matrix_registration_config_path: "{{ matrix_registration_base_path }}/config"
matrix_registration_data_path: "{{ matrix_registration_base_path }}/data"
matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src"
matrix_registration_version: "v0.7.0"
matrix_registration_docker_image: "devture/zeratax-matrix-registration:{{ matrix_registration_version }}"
matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}"
matrix_registration_docker_repo: "https://github.com/ZerataX/matrix-registration"
# A list of extra arguments to pass to the container
matrix_registration_container_extra_arguments: []
# List of systemd services that matrix-registration.service depends on
matrix_registration_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-registration.service wants
matrix_registration_systemd_wanted_services_list: []
# Controls whether the matrix-registration container exposes its HTTP port (tcp/5000 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8767"), or empty string to not expose.
matrix_registration_container_http_host_bind_port: ''
# The path at which Matrix Registration will be exposed on `matrix.DOMAIN`
# (only applies when matrix-nginx-proxy is used).
matrix_registration_public_endpoint: /matrix-registration
matrix_registration_api_register_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/register"
matrix_registration_api_token_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/token"
matrix_registration_api_validate_certs: true
# The URL to your homeserver (e.g.: `https://matrix.DOMAIN`).
# A local (in-container address) is preferable.
matrix_registration_server_location: ""
matrix_registration_server_name: "{{ matrix_domain }}"
# matrix_registration_shared_secret needs to match the homeserver's registration secret.
# For Synapse, that's the `registration_shared_secret` setting.
matrix_registration_shared_secret: ""
# matrix_registration_admin_secret is your own admin secret for using matrix-registration (creating new tokens, etc.)
matrix_registration_admin_secret: ""
matrix_registration_riot_instance: "https://riot.im/app/"
# Default matrix-registration configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_registration_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_registration_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_registration_configuration_extension_yaml: |
# Your custom YAML configuration for registration goes here.
# This configuration extends the default starting configuration (`matrix_registration_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_registration_configuration_yaml`.
#
# Example configuration extension follows:
#
# password:
# min_length: 12
matrix_registration_configuration_extension: "{{ matrix_registration_configuration_extension_yaml|from_yaml if matrix_registration_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final matrix-registration configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_registration_configuration_yaml`.
matrix_registration_configuration: "{{ matrix_registration_configuration_yaml|from_yaml|combine(matrix_registration_configuration_extension, recursive=True) }}"

50
roles/matrix-registration/tasks/generate_token.yml
Unescape View File

@ -0,0 +1,50 @@
- name: Fail if playbook called incorrectly
fail:
msg: "The `one_time` variable needs to be provided to this playbook, via --extra-vars"
when: "one_time is not defined or one_time not in ['yes', 'no']"
- name: Fail if playbook called incorrectly
fail:
msg: "The `ex_date` variable (expiration date) needs to be provided to this playbook, via --extra-vars"
when: "ex_date is not defined or ex_date == '<date>'"
- name: Call matrix-registration token creation API
uri:
url: "{{ matrix_registration_api_token_endpoint }}"
follow_redirects: none
validate_certs: "{{ matrix_registration_api_validate_certs }}"
headers:
Content-Type: application/json
Authorization: "SharedSecret {{ matrix_registration_admin_secret }}"
method: POST
body_format: json
body: |
{
"one_time": {{ 'true' if one_time == 'yes' else 'false' }},
"ex_date": {{ ex_date|to_json }}
}
check_mode: no
register: matrix_registration_api_result
- set_fact:
matrix_registration_api_result_message: >-
matrix-registration result:
Direct registration link (with the token prefilled):
{{ matrix_registration_api_register_endpoint }}?token={{ matrix_registration_api_result.json.name }}
Full token details are:
{{ matrix_registration_api_result.json }}
check_mode: no
- name: Inject result message into matrix_playbook_runtime_results
set_fact:
matrix_playbook_runtime_results: |
{{
matrix_playbook_runtime_results|default([])
+
[matrix_registration_api_result_message]
}}
check_mode: no

64
roles/matrix-registration/tasks/init.yml
Unescape View File

@ -0,0 +1,64 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration'] }}"
when: matrix_registration_enabled|bool
- block:
- name: Fail if matrix-nginx-proxy role already executed
fail:
msg: >-
Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your plabook,
so that the matrix-nginx-proxy role would run after the matrix-registration role.
when: matrix_nginx_proxy_role_executed|default(False)|bool
- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
set_fact:
matrix_registration_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-registration:5000";
proxy_pass http://$backend/$1;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8767/$1;
{% endif %}
{#
Workaround matrix-registration serving static files at /static
(see https://github.com/ZerataX/matrix-registration/issues/29)
Also fixing the form, which goes to /register.
#}
sub_filter_once off;
sub_filter_types text/html text/css;
sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/";
sub_filter "/register" "{{ matrix_registration_public_endpoint }}/register";
}
- name: Register matrix-registration proxying configuration with matrix-nginx-proxy
set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+
[matrix_registration_matrix_nginx_proxy_configuration]
}}
tags:
- always
when: matrix_registration_enabled|bool
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
debug:
msg: >-
NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}`
URL endpoint to the matrix-registration container.
You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable.
when: "matrix_registration_enabled|bool and matrix_nginx_proxy_enabled is not defined"

19
roles/matrix-registration/tasks/main.yml
Unescape View File

@ -0,0 +1,19 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_registration_enabled|bool"
tags:
- setup-all
- setup-matrix-registration
- import_tasks: "{{ role_path }}/tasks/setup.yml"
tags:
- setup-all
- setup-matrix-registration
- import_tasks: "{{ role_path }}/tasks/generate_token.yml"
when: "run_setup|bool and matrix_registration_enabled|bool"
tags:
- generate-matrix-registration-token

103
roles/matrix-registration/tasks/setup.yml
Unescape View File

@ -0,0 +1,103 @@
---
#
# Tasks related to setting up matrix-registration
#
- name: Ensure matrix-registration paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_registration_base_path }}", when: true }
- { path: "{{ matrix_registration_config_path }}", when: true }
- { path: "{{ matrix_registration_data_path }}", when: true }
- { path: "{{ matrix_registration_docker_src_files_path }}", when: "{{ matrix_registration_container_image_self_build }}"}
when: matrix_registration_enabled|bool and item.when
- name: Ensure matrix-registration image is pulled
docker_image:
name: "{{ matrix_registration_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_registration_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_docker_image_force_pull }}"
when: "matrix_registration_enabled|bool and not matrix_registration_container_image_self_build|bool"
- name: Ensure matrix-registration repository is present when self-building
git:
repo: "{{ matrix_registration_docker_repo }}"
dest: "{{ matrix_registration_docker_src_files_path }}"
version: "{{ matrix_registration_version }}"
force: "yes"
register: matrix_registration_git_pull_results
when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool"
- name: Ensure matrix-registration Docker image is built
docker_image:
name: "{{ matrix_registration_docker_image }}"
source: build
force_source: yes
build:
dockerfile: Dockerfile
path: "{{ matrix_registration_docker_src_files_path }}"
pull: yes
when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool and matrix_registration_git_pull_results.changed"
- name: Ensure matrix-registration config installed
copy:
content: "{{ matrix_registration_configuration|to_nice_yaml }}"
dest: "{{ matrix_registration_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_registration_enabled|bool
- name: Ensure matrix-registration.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-registration.service"
mode: 0644
register: matrix_registration_systemd_service_result
when: matrix_registration_enabled|bool
- name: Ensure systemd reloaded after matrix-registration.service installation
service:
daemon_reload: yes
when: "matrix_registration_enabled|bool and matrix_registration_systemd_service_result.changed"
#
# Tasks related to getting rid of matrix-registration (if it was previously enabled)
#
- name: Check existence of matrix-registration service
stat:
path: "{{ matrix_systemd_path }}/matrix-registration.service"
register: matrix_registration_service_stat
- name: Ensure matrix-registration is stopped
service:
name: matrix-registration
state: stopped
daemon_reload: yes
register: stopping_result
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
- name: Ensure matrix-registration.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-registration.service"
state: absent
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-registration.service removal
service:
daemon_reload: yes
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
- name: Ensure matrix-registration Docker image doesn't exist
docker_image:
name: "{{ matrix_registration_docker_image }}"
state: absent
when: "not matrix_registration_enabled|bool"

11
roles/matrix-registration/tasks/validate_config.yml
Unescape View File

@ -0,0 +1,11 @@
---
- name: Fail if required matrix-registration settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using matrix-registration.
when: "vars[item] == ''"
with_items:
- "matrix_registration_shared_secret"
- "matrix_registration_admin_secret"
- "matrix_registration_server_location"

30
roles/matrix-registration/templates/config.yaml.j2
Unescape View File

@ -0,0 +1,30 @@
server_location: {{ matrix_registration_server_location|to_json }}
server_name: {{ matrix_registration_server_name|to_json }}
shared_secret: {{ matrix_registration_shared_secret|to_json }}
admin_secret: {{ matrix_registration_admin_secret|to_json }}
riot_instance: {{ matrix_registration_riot_instance|to_json }}
db: 'sqlite:////data/db.sqlite3'
host: '0.0.0.0'
port: 5000
rate_limit: ["100 per day", "10 per minute"]
allow_cors: false
logging:
disable_existing_loggers: False
version: 1
root:
level: DEBUG
handlers: [console]
formatters:
brief:
format: '%(name)s - %(levelname)s - %(message)s'
precise:
format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
level: INFO
formatter: brief
stream: ext://sys.stdout
# password requirements
password:
min_length: 8

40
roles/matrix-registration/templates/systemd/matrix-registration.service.j2
Unescape View File

@ -0,0 +1,40 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=matrix-registration
{% for service in matrix_registration_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_registration_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-registration
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-registration
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_docker_network }} \
{% if matrix_registration_container_http_host_bind_port %}
-p {{ matrix_registration_container_http_host_bind_port }}:5000 \
{% endif %}
-v {{ matrix_registration_config_path }}:/config:ro \
-v {{ matrix_registration_data_path }}:/data \
{% for arg in matrix_registration_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_registration_docker_image }} \
serve
ExecStop=-{{ matrix_host_command_docker }} kill matrix-registration
ExecStop=-{{ matrix_host_command_docker }} rm matrix-registration
Restart=always
RestartSec=30
SyslogIdentifier=matrix-registration
[Install]
WantedBy=multi-user.target

4
roles/matrix-synapse-admin/defaults/main.yml
Unescape View File

@ -3,6 +3,10 @@
matrix_synapse_admin_enabled: true
matrix_synapse_admin_container_self_build: false
matrix_synapse_admin_docker_repo: "https://github.com/Awesome-Technologies/synapse-admin.git"
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_docker_image: "awesometechnologies/synapse-admin:0.4.1"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

21
roles/matrix-synapse-admin/tasks/setup.yml
Unescape View File

@ -10,7 +10,26 @@
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}"
when: matrix_synapse_admin_enabled|bool
when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool"
- name: Ensure matrix-synapse-admin repository is present when self-building
git:
repo: "{{ matrix_synapse_admin_docker_repo }}"
dest: "{{ matrix_synapse_admin_docker_src_files_path }}"
force: "yes"
register: matrix_synapse_admin_git_pull_results
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool"
- name: Ensure matrix-synapse-admin Docker image is built
docker_image:
name: "{{ matrix_synapse_admin_docker_image }}"
source: build
force_source: yes
build:
dockerfile: Dockerfile
path: "{{ matrix_synapse_admin_docker_src_files_path }}"
pull: yes
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool and matrix_synapse_admin_git_pull_results.changed"
- name: Ensure matrix-synapse-admin.service installed
template:

16
roles/matrix-synapse/defaults/main.yml
Unescape View File

@ -5,7 +5,7 @@ matrix_synapse_enabled: true
matrix_synapse_container_image_self_build: false
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.17.0"
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.19.3"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -73,13 +73,6 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
matrix_synapse_allow_guest_access: false
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_id_servers_public: ['matrix.org', 'vector.im']
# The list of identity servers to use for Synapse.
# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
# This most likely gets overwritten later, so that a local Identity server is used.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
@ -371,6 +364,13 @@ matrix_synapse_redaction_retention_period: 7d
matrix_synapse_user_ips_max_age: 28d
matrix_synapse_rust_synapse_compress_state_docker_image: "devture/rust-synapse-compress-state:v0.1.0"
matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}"
matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state"
# Default Synapse configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

5
roles/matrix-synapse/tasks/main.yml
Unescape View File

@ -43,6 +43,11 @@
tags:
- update-user-password
- import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml"
when: run_synapse_rust_synapse_compress_state|bool
tags:
- rust-synapse-compress-state
- name: Mark matrix-synapse role as executed
set_fact:
matrix_synapse_role_executed: true

48
roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml
Unescape View File

@ -0,0 +1,48 @@
- debug:
msg: "Compressing room `{{ room_details.room_id }}` having {{ room_details.count }} state group rows"
- name: Generate rust-synapse-compress-state room compression command
set_fact:
matrix_synapse_rust_synapse_compress_state_compress_room_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
-v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work
{{ matrix_synapse_rust_synapse_compress_state_docker_image }}
/synapse-compress-state -t -o /work/state-compressor.sql
-p "host={{ matrix_synapse_database_host }} user={{ matrix_synapse_database_user }} password={{ matrix_synapse_database_password }} dbname={{ matrix_synapse_database_database }}"
-r '{{ room_details.room_id }}'
- name: Run rust-synapse-compress-state room compression command (SQL generation)
command: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_compress_room_command_result
- debug: var="matrix_synapse_rust_synapse_compress_state_compress_room_command_result"
- name: Generate Postgres compression SQL import command
set_fact:
matrix_synapse_rust_synapse_compress_state_psql_import_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
-v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work:ro
--entrypoint=/bin/sh
{{ matrix_postgres_docker_image_latest }}
-c "cat /work/state-compressor.sql |
psql -v ON_ERROR_STOP=1 -h matrix-postgres"
- name: Import compression SQL into Postgres
command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_psql_import_command_result
- name: Clean up
file:
path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}/state-compressor.sql"
state: absent

118
roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml
Unescape View File

@ -0,0 +1,118 @@
# Pre-checks
- name: Fail if Postgres not enabled
fail:
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state."
when: "not matrix_postgres_enabled|bool"
# Defaults
- name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 15
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_compress_room_time: 1800
when: "matrix_synapse_rust_synapse_compress_state_compress_room_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_psql_import_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_psql_import_time: 1800
when: "matrix_synapse_rust_synapse_compress_state_psql_import_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_min_state_groups_required, if not provided
set_fact:
# The minimum number of state groups we're looking for before we consider a room eligible for compression.
# Rooms with a smaller state groups count will not be compressed.
matrix_synapse_rust_synapse_compress_state_min_state_groups_required: 100000
when: "matrix_synapse_rust_synapse_compress_state_min_state_groups_required|default('') == ''"
# Actual compression work
- name: Ensure rust-synapse-compress-state paths exist
file:
path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure rust-synapse-compress-state image is pulled
docker_image:
name: "{{ matrix_synapse_rust_synapse_compress_state_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_rust_synapse_compress_state_docker_image_force_pull }}"
- name: Generate rust-synapse-compress-state room find command
set_fact:
matrix_synapse_rust_synapse_compress_state_find_rooms_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
{{ matrix_postgres_docker_image_latest }}
psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c
'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;'
- name: Find rooms eligible for compression with rust-synapse-compress-state
command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_find_rooms_command_result
# We expect the output to be like this:
#
# "stdout_lines": [
# " array_to_json ",
# "----------------------------------------------------------------------------------------------------------------------------",
# " [{\"room_id\":\"!some-id\",\"count\":2461329},{\"room_id\":\"!another-id\",\"count\":512017}]",
# "(1 row)"
# ]
#
# Row 3 (out of 4) contains the actual result.
#
# Row 3 contains a space when there's no result.
- block:
- debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result"
- name: Fail if room find result is not what we expect
fail:
msg: >-
Expecting 4 lines in the "find rooms" result.
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.failed or matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines|length != 4"
- block:
# matrix_synapse_rust_synapse_compress_state_eligible_rooms is a list
# of dictionaries like this: {'room_id': '!some-id', 'count': 2461329}
- set_fact:
matrix_synapse_rust_synapse_compress_state_eligible_rooms: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] | from_json }}"
- name: Display rooms that will be compressed
debug:
msg: >-
The following rooms contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows
(configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`)
and will be compressed:
{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}
- name: Compress room state
include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/compress_room.yml"
with_items: "{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}"
loop_control:
loop_var: room_details
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] != ' '"
- name: Show notice about lack of rooms to compress
debug:
msg: >-
No rooms were found to contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows
(configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`),
so there's nothing to compress.
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] == ' '"

1
roles/matrix-synapse/tasks/validate_config.yml
Unescape View File

@ -32,3 +32,4 @@
- {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}

251
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
Unescape View File

@ -89,7 +89,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
#gc_thresholds: [700, 10, 10]
# Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit.
# and sync operations. The default value is 100. -1 means no upper limit.
#
# Uncomment the following to increase the limit to 5000.
#
#filter_timeline_limit: 5000
@ -105,41 +107,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
#
#enable_search: false
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
{% if matrix_synapse_federation_domain_whitelist is not none %}
{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #}
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
{% endif %}
# Prevent federation requests from being sent to the following
# blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced.
#
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
# List of ports that Synapse should listen on, their purpose and their
# configuration.
@ -169,7 +136,7 @@ federation_ip_range_blacklist:
# names: a list of names of HTTP resources. See below for a list of
# valid resource names.
#
# compress: set to true to enable HTTP comression for this resource.
# compress: set to true to enable HTTP compression for this resource.
#
# additional_resources: Only valid for an 'http' listener. A map of
# additional endpoints which should be loaded via dynamic modules.
@ -342,6 +309,10 @@ limit_remote_rooms:
#
#complexity_error: "This room is too complex."
# allow server admins to join complex rooms. Default is false.
#
#admins_can_join: true
# Whether to require a user to be in the room to add an alias to it.
# Defaults to 'true'.
#
@ -610,6 +581,43 @@ acme:
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
{% if matrix_synapse_federation_domain_whitelist is not none %}
{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #}
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
{% endif %}
# Prevent federation requests from being sent to the following
# blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced.
#
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
## Caching ##
# Caching can be configured through the following options.
@ -699,6 +707,10 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
# - one for ratelimiting redactions by room admins. If this is not explicitly
# set then it uses the same ratelimiting as per rc_message. This is useful
# to allow room admins to deal with abuse quickly.
# - two for ratelimiting number of rooms a user can join, "local" for when
# users are joining rooms the server is already in (this is cheap) vs
# "remote" for when users are trying to join rooms not on the server (which
# can be more expensive)
#
# The defaults are as shown below.
#
@ -727,6 +739,14 @@ rc_login: {{ matrix_synapse_rc_login|to_json }}
#rc_admin_redaction:
# per_second: 1
# burst_count: 50
#
#rc_joins:
# local:
# per_second: 0.1
# burst_count: 3
# remote:
# per_second: 0.01
# burst_count: 3
# Ratelimiting settings for incoming federation
@ -1113,25 +1133,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
#
#default_identity_server: https://matrix.org
# The list of identity servers trusted to verify third party
# identifiers by this server.
#
# Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily).
#
# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
# background migration script, informing itself that the identity server all of its
# 3PIDs have been bound to is likely one of the below.
#
# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
# it is now solely used for the purposes of the background migration script, and can be
# removed once it has run.
{% if matrix_synapse_trusted_third_party_id_servers|length > 0 %}
trusted_third_party_id_servers:
{{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }}
{% endif %}
# Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts!
@ -1542,6 +1543,17 @@ saml2_config:
#
#grandfathered_mxid_source_attribute: upn
# It is possible to configure Synapse to only allow logins if SAML attributes
# match particular values. The requirements can be listed under
# `attribute_requirements` as shown below. All of the listed attributes must
# match for the login to be permitted.
#
#attribute_requirements:
# - attribute: userGroup
# value: "staff"
# - attribute: department
# value: "sales"
# Directory in which Synapse will try to find the template files below.
# If not set, default templates from within the Synapse package will be used.
#
@ -1788,6 +1800,9 @@ sso:
# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
# used as the localpart of the mxid.
#
# Additionally, the expiration time ("exp"), not before time ("nbf"),
# and issued at ("iat") claims are validated if present.
#
# Note that this is a non-standard login type and client support is
# expected to be non-existant.
#
@ -1879,8 +1894,8 @@ email:
#notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
# app_name defines the default value for '%(app)s' in notif_from. It
# defaults to 'Matrix'.
# app_name defines the default value for '%(app)s' in notif_from and email
# subjects. It defaults to 'Matrix'.
#
#app_name: my_branded_matrix_server
app_name: Matrix
@ -1946,6 +1961,73 @@ email:
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
#
#template_dir: "res/templates"
# Subjects to use when sending emails from Synapse.
#
# The placeholder '%(app)s' will be replaced with the value of the 'app_name'
# setting above, or by a value dictated by the Matrix client application.
#
# If a subject isn't overridden in this configuration file, the value used as
# its example will be used.
#
#subjects:
# Subjects for notification emails.
#
# On top of the '%(app)s' placeholder, these can use the following
# placeholders:
#
# * '%(person)s', which will be replaced by the display name of the user(s)
# that sent the message(s), e.g. "Alice and Bob".
# * '%(room)s', which will be replaced by the name of the room the
# message(s) have been sent to, e.g. "My super room".
#
# See the example provided for each setting to see which placeholder can be
# used and how to use them.
#
# Subject to use to notify about one message from one or more user(s) in a
# room which has a name.
#message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
#
# Subject to use to notify about one message from one or more user(s) in a
# room which doesn't have a name.
#message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages from one or more users in
# a room which doesn't have a name.
#messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages in a room which has a
# name.
#messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
#
# Subject to use to notify about multiple messages in multiple rooms.
#messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
#
# Subject to use to notify about multiple messages from multiple persons in
# multiple rooms. This is similar to the setting above except it's used when
# the room in which the notification was triggered has no name.
#messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
#
# Subject to use to notify about an invite to a room which has a name.
#invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
#
# Subject to use to notify about an invite to a room which doesn't have a
# name.
#invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
# Subject for emails related to account administration.
#
# On top of the '%(app)s' placeholder, these one can use the
# '%(server_name)s' placeholder, which will be replaced by the value of the
# 'server_name' setting in your Synapse configuration.
#
# Subject to use when sending a password reset email.
#password_reset: "[%(server_name)s] Password reset"
#
# Subject to use when sending a verification email to assert an address's
# ownership.
#email_validation: "[%(server_name)s] Validate your email"
{% endif %}
# Password providers allow homeserver administrators to integrate
@ -2303,4 +2385,57 @@ opentracing:
# false
## Workers ##
# Disables sending of outbound federation transactions on the main process.
# Uncomment if using a federation sender worker.
#
#send_federation: false
# It is possible to run multiple federation sender workers, in which case the
# work is balanced across them.
#
# This configuration must be shared between all federation sender workers, and if
# changed all federation sender workers must be stopped at the same time and then
# started, to ensure that all instances are running with the same config (otherwise
# events may be dropped).
#
#federation_sender_instances:
# - federation_sender1
# When using workers this should be a map from `worker_name` to the
# HTTP replication listener of the worker, if configured.
#
#instance_map:
# worker1:
# host: localhost
# port: 8034
# Experimental: When using workers you can define which workers should
# handle event persistence and typing notifications. Any worker
# specified here must also be in the `instance_map`.
#
#stream_writers:
# events: worker1
# typing: worker1
# Configuration for Redis when using workers. This *must* be enabled when
# using workers (unless using old style direct TCP configuration).
#
redis:
# Uncomment the below to enable Redis support.
#
#enabled: true
# Optional host and port to use to connect to redis. Defaults to
# localhost and 6379
#
#host: localhost
#port: 6379
# Optional password if configured on the Redis instance
#
#password: <secret_password>
# vim:ft=yaml

2
roles/matrix-synapse/vars/main.yml
Unescape View File

@ -1,7 +1,5 @@
---
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions"
matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

1
setup.yml
Unescape View File

@ -26,6 +26,7 @@
- matrix-bot-matrix-reminder-bot
- matrix-synapse
- matrix-synapse-admin
- matrix-registration
- matrix-client-element
- matrix-jitsi
- matrix-ma1sd

Write Preview
Loading…
Cancel
Save