diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 00d62f20..0ff5748c 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -9,6 +9,7 @@ skip_list: - schema - command-instead-of-shell - role-name + - var-naming[no-role-prefix] # We frequently load configuration from a template (into a variable), then merge that with another variable (configuration extension) # before finally dumping it to a file. - template-instead-of-copy diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..6313b56c --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 00000000..8cd189ae --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ], + "regexManagers": [ + { + "fileMatch": ["defaults/main.yml$"], + "matchStrings": [ + "# renovate: datasource=(?[a-z-.]+?) depName=(?[^\\s]+?)(?: (?:lookupName|packageName)=(?[^\\s]+?))?(?: versioning=(?[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?(?:_version|_tag)\\s*:\\s*[\"']?(?.+?)[\"']?\\s" + ] + } + ], + "packageRules": [ + { + "matchSourceUrlPrefixes": [ + "https://github.com/devture/com.devture.ansible.role", + "https://gitlab.com/etke.cc/roles", + "https://github.com/mother-of-all-self-hosting" + ], + "ignoreUnstable": false + } + ] +} diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 579ab719..8e7df118 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -11,16 +11,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.1 + uses: frenck/action-yamllint@v1.4.2 ansible-lint: name: ansible-lint runs-on: ubuntu-latest steps: - name: Check out - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.16.0 + uses: ansible-community/ansible-lint-action@v6.17.0 with: path: roles/custom diff --git a/.gitignore b/.gitignore index 42187739..6b56900a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ /roles/**/files/scratchpad .DS_Store .python-version +.idea/ flake.lock # ignore roles pulled by ansible-galaxy diff --git a/CHANGELOG.md b/CHANGELOG.md index 70b17b00..9a787876 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,94 @@ +# 2023-10-23 + +## Enabling `allow_public_rooms_over_federation` by default for Synapse + +**TDLR**: if your Matrix server is federating (which it mostly likely is, unless you've [disabled federation](docs/configuring-playbook-federation.md#disabling-federation)), your public rooms will not only be joinable across federation (as they've always been), but from now on will be discoverable (made available as a list across federation). We're changing this by flipping the value for Synapse's `allow_public_rooms_over_federation` setting to `true`, going against the upstream default. Servers that disable federation are not affected. Servers that have public rooms which are not published to the room directory are also not affected. + +We generally try to stick to the default configuration for Synapse (and all other components), unless these defaults seem wrong or harmful. One such previous case from a few months ago was us [Enabling `forget_rooms_on_leave` by default for Synapse](#enabling-forget_rooms_on_leave-by-default-for-synapse) - the default value was making Synapse more wasteful of resources by default. + +Today, we're going against upstream defaults again and flipping the `allow_public_rooms_over_federation` configuration option to `true`. +This way, public rooms on your server will be made discoverable by others via federation, using the [`GET /_matrix/federation/v1/publicRooms` of the Server-Server API](https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1publicrooms). + +The upstream Synapse default is `false` (disabled), so that public rooms are not exposed for other servers to discover (learn about their existence). Nevertheless, even if these rooms are not exposed (listed) for discovery, they are **still joinable** by anyone who knows their address or is invited to the room by an existing member. + +**We go against the upstream default** in an effort to make Matrix federation more useful - a public room should be globally public - not only joinable, but also discoverable across federation. + +The **historical reasoning** behind this change is as follows: + +- `allow_public_rooms_over_federation` seems to have been enabled by default for Synapse until v1.7.0 (~2019), just like we believe it should be for a globally-federating network - rooms should be joinable and discoverable across federation. + +- In Synapse v1.7.0 (~2019), `allow_public_rooms_over_federation` [got disabled](https://github.com/matrix-org/synapse/blob/e9069c9f919685606506f04527332e83fbfa44d9/docs/upgrade.md?plain=1#L1877-L1891) by default in a [security-by-obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) workaround for misconfigured servers. See the [Avoiding unwelcome visitors on private Matrix servers](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers/) `matrix.org` blog article. We believe that people wishing for a truly private server, should [disable federation](docs/configuring-playbook-federation.md#disabling-federation), instead of having a fully-federating server and trying to hide its public rooms. We also provide other workarounds below. We (and the Synapse team, obviously) believe that Matrix should federate by default, so federating the public room list seems to make sense. + +- [etke.cc](https://etke.cc/) has been developing the free-software [Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) project for a while now. One public (demo) instance of it is hosted at [matrixrooms.info](https://matrixrooms.info/). This search engine tries to go through the Matrix federation and discover & index public rooms to allow people to find them. We believe it's vital for Matrix (and any chat or social network for that matter) to be more discoverable, so that people can find communities and others to talk to. Today (on 23rd of October 2023), `matrixrooms.info` is indexing `23066` Matrix servers. Of these, only `1567` servers (7%) are making their public rooms discoverable. Who knows what wonderful communities and rooms are available on these 93% other Matrix servers that are supposedly federating, but are still gate-keeping their public room list. Indubitably, many of these servers are hosted via matrix-docker-ansible-deploy, so we feel partially responsible for making Matrix federation less useful. + +Here are **actions you may wish to take** as a result of this change: + +- (recommended) embrace the new default. If your Matrix server is federating, your public rooms have always been joinable across federation anyway. Exposing the list of public rooms does no harm and more-so does good by contributing to the usefulness of the Matrix network by facilitating room discovery. + +- (switch to a better way of doings things on your semi-private server) The problem that the Synapse team appears to have solved by flipping the `allow_public_rooms_over_federation` default in Synapse v1.7.0 seems to for "mostly private" servers, which federate and have a bunch of rooms made public (and published in their room directory) in an effort to allow people on the same homeserver to easily find and join them (self-onboarding). With the introduction of Matrix Spaces, you can reorganize your flow around spaces - you can auto-join your users to a Matrix Space (via Synapse's `auto_join_rooms` setting - controlled by our `matrix_synapse_auto_join_rooms` variable), then add a bunch of rooms to the space and make them joinable by people belonging to the space. That is to say, do not make rooms public and do not publish them to the room directory unless they are really public. Instead, use other mechanisms for semi-public rooms or private rooms. One alternative is to stick to what you're doing (public rooms published to your rooms directory) but having a `m.federate: true` flag set during creation (clients like Element have a nice UI checkbox for this) to explicitly disable federation for them. + +- (keeping the old behavior) if you wish to keep doing what you're doing (keeping your Matrix server federating, but hiding its public rooms list), add `matrix_synapse_allow_public_rooms_over_federation: false` to your `vars.yml` configuration. This restores the old behavior. You may also consider [disabling federation](docs/configuring-playbook-federation.md#disabling-federation) completely instead of relying on security-by-obscurity measures. + + +# 2023-10-18 + +## Postgres parameters are automatically tuned now + +The playbook has provided some hints about [Tuning PostgreSQL](docs/maintenance-postgres.md#tuning-postgresql) for quite a while now. + +From now on, the [Postgres Ansible role](https://github.com/devture/com.devture.ansible.role.postgres) automatically tunes your Postgres configuration with the same [calculation logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) that powers https://pgtune.leopard.in.ua/. + +Our [Tuning PostgreSQL](docs/maintenance-postgres.md#tuning-postgresql) documentation page has details about how you can turn auto-tuning off or adjust the automatically-determined Postgres configuration parameters manually. + +People who [enable load-balancing with Synapse workers](docs/configuring-playbook-synapse.md#load-balancing-with-workers) no longer need to increase the maximum number of Postgres connections manually (previously done via `devture_postgres_process_extra_arguments`). There's a new variable (`devture_postgres_max_connections`) for controlling this number and the playbook automatically raises its value from `200` to `500` for setups which enable workers. + + +# 2023-08-31 + +## SchildiChat support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up the [SchildiChat](https://github.com/SchildiChat/schildichat-desktop) client. + +See our [Configuring SchildiChat](docs/configuring-playbook-client-schildichat.md) documentation to get started. + + +# 2023-08-23 + +## mautrix-wsproxy support + +Thanks to [Johan Swetzén](https://github.com/jswetzen)'s efforts (who finished what was started by [James Reilly](https://github.com/hanthor) and [Shreyas Ajjarapu](https://github.com/shreyasajj)), the playbook now supports bridging to Android SMS and Apple iMessage via the [mautrix-wsproxy](https://github.com/mautrix/wsproxy) service (in combination with a [mautrix-imessage](https://github.com/mautrix/imessage) bridge running on your Mac or Android phone). + +See our [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](docs/configuring-playbook-bridge-mautrix-wsproxy.md) documentation page for getting started. + + +# 2023-07-24 + +## matrix-registration-bot usage changed + +[matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) got some updates and now supports password-only-based login. Therefore the bot now doesn't need any manual configuration except setting a password in your `vars.yml`. The bot will be registered as admin and access tokens will be obtained automatically by the bot. + +**For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password` if you previously only used `matrix_bot_matrix_registration_bot_bot_access_token`. Please also remove the following deprecated settings + +* `matrix_bot_matrix_registration_bot_bot_access_token` +* `matrix_bot_matrix_registration_bot_api_token` + + +# 2023-07-21 + +## mautrix-gmessages support + +Thanks to [Shreyas Ajjarapu](https://github.com/shreyasajj)'s efforts, the playbook now supports bridging to [Google Messages](https://messages.google.com/) via the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge. See our [Setting up Mautrix Google Messages bridging](docs/configuring-playbook-bridge-mautrix-gmessages.md) documentation page for getting started. + + +# 2023-07-17 + +## matrix-media-repo support + +Thanks to [Michael Hollister](https://github.com/Michael-Hollister) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook can now set up [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) - an alternative way to store homeserver media files, powered by a homeserver-independent implementation which supports S3 storage, IPFS, deduplication and other advanced features. + +To learn more see our [Storing Matrix media files using matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) documentation page. + + # 2023-05-25 ## Enabling `forget_rooms_on_leave` by default for Synapse @@ -359,7 +450,7 @@ Additional details are available in the [Authenticate using Matrix OpenID (Auth- ## Draupnir moderation tool (bot) support -Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. +Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md). diff --git a/README.md b/README.md index 8b026509..82899a36 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort. -If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease. +If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc?utm_source=github&utm_medium=readme&utm_campaign=mdad) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease. If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time. @@ -47,9 +47,10 @@ Web clients for matrix that you can host on your own domains. | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | -[Element](https://app.element.io/) | ✓ | Web UI, which is configured to connect to your own Synapse server by default | [Link](docs/configuring-playbook-client-element.md) | -| [Hydrogen](https://github.com/vector-im/hydrogen-web) | x | Web client | [Link](docs/configuring-playbook-client-hydrogen.md) | -| [Cinny](https://github.com/ajbura/cinny) | x | Web client | [Link](docs/configuring-playbook-client-cinny.md) | +| [Element](https://app.element.io/) | ✓ | Web UI, which is configured to connect to your own Synapse server by default | [Link](docs/configuring-playbook-client-element.md) | +| [Hydrogen](https://github.com/vector-im/hydrogen-web) | x | Lightweight matrix client with legacy and mobile browser support | [Link](docs/configuring-playbook-client-hydrogen.md) | +| [Cinny](https://github.com/ajbura/cinny) | x | Simple, elegant and secure web client | [Link](docs/configuring-playbook-client-cinny.md) | +| [SchildiChat](https://schildi.chat/) | x | Based on Element, with a more traditional instant messaging experience | [Link](docs/configuring-playbook-client-schildichat.md) | @@ -92,6 +93,7 @@ Use alternative file storage to the default `media_store` folder. | ---- | -------- | ----------- | ------------- | | [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) | | [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) | +| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-matrix-media-repo.md) | ### Bridges @@ -99,32 +101,33 @@ Bridges can be used to connect your matrix installation with third-party communi | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | -| [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | -| [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) | -| [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | -| [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | -| [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | -| [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge for bridging your Matrix server to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) | -| [mautrix-hangouts](https://github.com/mautrix/hangouts) | x | Bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) | [Link](docs/configuring-playbook-bridge-mautrix-hangouts.md) | -| [mautrix-googlechat](https://github.com/mautrix/googlechat) | x | Bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) | -| [mautrix-instagram](https://github.com/mautrix/instagram) | x | Bridge for bridging your Matrix server to [Instagram](https://instagram.com/) | [Link](docs/configuring-playbook-bridge-mautrix-instagram.md) | -| [mautrix-signal](https://github.com/mautrix/signal) | x | Bridge for bridging your Matrix server to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) | -| [beeper-linkedin](https://github.com/beeper/linkedin) | x | Bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) | -| [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | x | Bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) | -| [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) | x | Bridge for bridging your Matrix server to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-appservice-discord.md) | -| [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-appservice-slack.md) | +| [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | +| [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) | +| [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | +| [mautrix-gmessages](https://github.com/mautrix/gmessages) | x | Bridge to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) | +| [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | +| [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | +| [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) | +| [mautrix-hangouts](https://github.com/mautrix/hangouts) | x | Bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) | [Link](docs/configuring-playbook-bridge-mautrix-hangouts.md) | +| [mautrix-googlechat](https://github.com/mautrix/googlechat) | x | Bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) | +| [mautrix-instagram](https://github.com/mautrix/instagram) | x | Bridge to [Instagram](https://instagram.com/) | [Link](docs/configuring-playbook-bridge-mautrix-instagram.md) | +| [mautrix-signal](https://github.com/mautrix/signal) | x | Bridge to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) | +| [beeper-linkedin](https://github.com/beeper/linkedin) | x | Bridge to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) | +| [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | x | Bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) | +| [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) | x | Bridge to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-appservice-discord.md) | +| [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) | x | Bridge to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-appservice-slack.md) | | [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) | x | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) | [Link](docs/configuring-playbook-bridge-appservice-webhooks.md) | -| [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) | x | Bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular | [Link](docs/configuring-playbook-bridge-hookshot.md) | -| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | x | Bridge for bridging your Matrix server to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) | -| [Heisenbridge](https://github.com/hifi/heisenbridge) | x | Bridge for bridging your Matrix server to IRC bouncer-style | [Link](docs/configuring-playbook-bridge-heisenbridge.md) | -| [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) | x | Bridge for bridging your Matrix server to [Skype](https://www.skype.com) | [Link](docs/configuring-playbook-bridge-go-skype-bridge.md) | -| [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com) | [Link](docs/configuring-playbook-bridge-mx-puppet-slack.md) | +| [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) | x | Bridge for generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular | [Link](docs/configuring-playbook-bridge-hookshot.md) | +| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | x | Bridge to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) | +| [Heisenbridge](https://github.com/hifi/heisenbridge) | x | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) | +| [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) | x | Bridge to [Skype](https://www.skype.com) | [Link](docs/configuring-playbook-bridge-go-skype-bridge.md) | +| [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) | x | Bridge to [Slack](https://slack.com) | [Link](docs/configuring-playbook-bridge-mx-puppet-slack.md) | | [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) | x | Bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-instagram.md) | | [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) | x | Bridge for Twitter-DMs ([Twitter](https://twitter.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-twitter.md) | -| [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) | x | Bridge for [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-discord.md) | -| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | x | Bridge for [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) | -| [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) | x | Bridge for [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) | -| [Email2Matrix](https://github.com/devture/email2matrix) | x | Bridge for relaying email messages to Matrix rooms | [Link](docs/configuring-playbook-email2matrix.md) | +| [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) | x | Bridge to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-discord.md) | +| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | x | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) | +| [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) | x | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) | +| [Email2Matrix](https://github.com/devture/email2matrix) | x | Bridge for relaying emails to Matrix rooms | [Link](docs/configuring-playbook-email2matrix.md) | ### Bots @@ -140,7 +143,7 @@ Bots provide various additional functionality to your installation. | [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) | | [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) | | [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) | -| [Draupnir](https://github.com/Gnuxie/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) | +| [Draupnir](https://github.com/the-draupnir-project/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) | | [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) | | [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) | diff --git a/docs/ansible.md b/docs/ansible.md index 6018860e..53e36cea 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-3 +docker.io/devture/ansible:2.14.5-r0-0 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. @@ -86,7 +86,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-3 +docker.io/devture/ansible:2.14.5-r0-0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index d7ccf17e..5b9464fe 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -42,6 +42,8 @@ When you're done configuring DNS, proceed to [Configuring the playbook](configur | [Etherpad](configuring-playbook-etherpad.md) collaborative text editor | CNAME | `etherpad` | - | - | - | `matrix.` | | [Hydrogen](configuring-playbook-client-hydrogen.md) web client | CNAME | `hydrogen` | - | - | - | `matrix.` | | [Cinny](configuring-playbook-client-cinny.md) web client | CNAME | `cinny` | - | - | - | `matrix.` | +| [SchildiChat](configuring-playbook-client-schildichat.md) web client | CNAME | `schildichat` | - | - | - | `matrix.` | +| [wsproxy](configuring-playbook-bridge-mautrix-wsproxy.md) sms bridge | CNAME | `wsproxy` | - | - | - | `matrix.` | | [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot | CNAME | `buscarron` | - | - | - | `matrix.` | | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | MX | `matrix` | 10 | 0 | - | `matrix.` | | [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge | TXT | `matrix` | - | - | - | `v=spf1 ip4: -all` | @@ -75,6 +77,8 @@ The `hydrogen.` subdomain may be necessary, because this playbook c The `cinny.` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.` DNS record. +The `wsproxy.` subdomain may be necessary, because this playbook could install the [wsproxy](https://github.com/mautrix/wsproxy) web client. The installation of wsproxy is disabled by default, it is not a core required component. To learn how to install it, see our [configuring wsproxy guide](configuring-playbook-bridge-mautrix-wsproxy.md). If you do not wish to set up wsproxy, feel free to skip the `wsproxy.` DNS record. + The `buscarron.` subdomain may be necessary, because this playbook could install the [buscarron](https://gitlab.com/etke.cc/buscarron) bot. The installation of buscarron is disabled by default, it is not a core required component. To learn how to install it, see our [configuring buscarron guide](configuring-playbook-bot-buscarron.md). If you do not wish to set up buscarron, feel free to skip the `buscarron.` DNS record. ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index fa7972ca..72171f28 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -43,6 +43,11 @@ matrix_bot_chatgpt_openai_api_key: '' # Matrix access token (from bot user above) # see: https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix matrix_bot_chatgpt_matrix_access_token: '' + +# Configuring the system promt used, needed if the bot is used for special tasks. +# More information: https://github.com/mustvlad/ChatGPT-System-Prompts +matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.' + ``` You will need to get tokens for ChatGPT. diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 23fa644f..a2cc9c09 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -1,8 +1,8 @@ # Setting up draupnir (optional) -The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you. +The playbook can install and configure the [draupnir](https://github.com/the-draupnir-project/Draupnir) moderation bot for you. -See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/the-draupnir-project/Draupnir) to learn what it does and why it might be useful to you. If your migrating from Mjolnir skip to step 5b. @@ -20,7 +20,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` -If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ([see below](#abuse-reports)), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. ## 2. Get an access token @@ -32,9 +32,9 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. @@ -77,7 +77,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. +You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/the-draupnir-project/Draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. @@ -94,3 +94,17 @@ matrix_bot_draupnir_configuration_extension_yaml: | # completely redefining `matrix_bot_draupnir_configuration_yaml`. recordIgnoredInvites: true ``` + +## Abuse Reports + +Draupnir supports two methods to receive reports in the management room. + +The first method intercepts the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. +While this playbook uses reverse proxies, it does not yet implement this. + +The other method polls an synapse admin API endpoint and is hence only available when using synapse and when the Draupnir user is an admin user (see step 1). +To enable it, set `pollReports: true` in Draupnir's config: +```yaml +matrix_bot_draupnir_configuration_extension_yaml: | + pollReports: true +``` diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index b1e3fdc6..66b3e576 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -2,40 +2,28 @@ The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you. -The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server, -where you invite someone by sending them a registration token. They can register as normal but have to provide a valid -registration token in a final step of the registration. +The bot allows you to easily **create and manage registration tokens** aka. invitation codes. +It can be used for an invitation-based server, +where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration. See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it does and why it might be useful to you. -## Registering the bot user +## Configuration -By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`. - -(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable). - -For [other bots supported by the playbook](configuring-playbook.md#bots), Matrix bot user accounts are created and put to use automatically. For `matrix-registration-bot`, however, this is not the case - you **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): - -``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user -``` - -Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. - -## Obtaining an admin access token - -In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). - -## Adjusting the playbook configuration - -Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: +To enable the bot, add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml matrix_bot_matrix_registration_bot_enabled: true -# Token obtained via logging into the bot account (see above) -matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE" + +#By default, the playbook will set use the bot with a username like +## this: `@bot.matrix-registration-bot:DOMAIN`. +# To use a different username, uncomment & adjust the variable. +# matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot + +# Generate a strong password here. Consider generating it with `pwgen -s 64 1` +matrix_bot_matrix_registration_bot_bot_password: PASSWORD_FOR_THE_BOT # Enables registration matrix_synapse_enable_registration: true @@ -44,6 +32,7 @@ matrix_synapse_enable_registration: true matrix_synapse_registration_requires_token: true ``` +The bot account will be automatically created. ## Installing @@ -56,10 +45,16 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). +To use the bot, message `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). In this room send `help` and the bot will reply with all options. You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands). If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de). + +To clean the cache (session&encryption data) after you changed the bot's username, changed the login methon form access_token to password etc.. you can use + +```bash +just run-tags bot-matrix-registration-bot-clean-cache +``` diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index e69655aa..3d12cd6a 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -31,9 +31,9 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index d37724c0..bd30d5aa 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -1,7 +1,7 @@ # Setting up Appservice Discord (optional) -**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) and [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridges supported by the playbook. -- For using as a Bot we are recommend the Appservice Discord bridge (the one being discussed here), because it supports plumbing. +**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) and [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridges supported by the playbook. +- For using as a Bot we are recommend the Appservice Discord bridge (the one being discussed here), because it supports plumbing. - For personal use we recommend the [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridge, because it is the most fully-featured and stable of the 3 Discord bridges supported by the playbook. The playbook can install and configure [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) for you. @@ -23,8 +23,14 @@ matrix_appservice_discord_enabled: true matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID" matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" ``` +5. As of Synapse 1.90.0, you will need to add the following to `matrix_synapse_configuration_extension_yaml` to enable the [backwards compatibility](https://matrix-org.github.io/synapse/latest/upgrade#upgrading-to-v1900) that this bridge needs: +```yaml +matrix_synapse_configuration_extension_yaml: | + use_appservice_legacy_authorization: true +``` +*Note*: This deprecated method is considered insecure. -5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. +6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md index f4fbfbc0..3a4c7ea5 100644 --- a/docs/configuring-playbook-bridge-appservice-webhooks.md +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -26,22 +26,29 @@ you can adjust this in `inventory/host_vars/matrix./vars.yml` as we matrix_appservice_webhooks_log_level: '' ``` -3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. +3. As of Synapse 1.90.0, you will need to add the following to `matrix_synapse_configuration_extension_yaml` to enable the [backwards compatibility](https://matrix-org.github.io/synapse/latest/upgrade#upgrading-to-v1900) that this bridge needs: +```yaml +matrix_synapse_configuration_extension_yaml: | + use_appservice_legacy_authorization: true +``` +*Note*: This deprecated method is considered insecure. + +4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. -4. If you're using the [Dimension Integration Manager](configuring-playbook-dimension.md), you can configure the Webhooks bridge by opening the Dimension integration manager -> Settings -> Bridges and selecting edit action for "Webhook Bridge". Press "Add self-hosted Bridge" button and populate "Provisioning URL" & "Shared Secret" values from `/matrix/appservice-webhooks/config/config.yaml` file's homeserver URL value and provisioning secret value, respectively. +5. If you're using the [Dimension Integration Manager](configuring-playbook-dimension.md), you can configure the Webhooks bridge by opening the Dimension integration manager -> Settings -> Bridges and selecting edit action for "Webhook Bridge". Press "Add self-hosted Bridge" button and populate "Provisioning URL" & "Shared Secret" values from `/matrix/appservice-webhooks/config/config.yaml` file's homeserver URL value and provisioning secret value, respectively. -5. Invite the bridge bot user to your room: +6. Invite the bridge bot user to your room: - either with `/invite @_webhook:` (*Note*: Make sure you have administration permissions in your room) - or simply add the bridge bot to a private channel (personal channels imply you being an administrator) -6. Send a message to the bridge bot in order to receive a private message including the webhook link. +7. Send a message to the bridge bot in order to receive a private message including the webhook link. ``` !webhook ``` -7. The JSON body for posting messages will have to look like this: +8. The JSON body for posting messages will have to look like this: ```json { "text": "Hello world!", diff --git a/docs/configuring-playbook-bridge-beeper-linkedin.md b/docs/configuring-playbook-bridge-beeper-linkedin.md index 6ec294fb..a51b2781 100644 --- a/docs/configuring-playbook-bridge-beeper-linkedin.md +++ b/docs/configuring-playbook-bridge-beeper-linkedin.md @@ -32,14 +32,10 @@ You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/co ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. - -### Method 1: automatically, by enabling Shared Secret Auth +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth. The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. -This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. - ## Usage diff --git a/docs/configuring-playbook-bridge-mautrix-gmessages.md b/docs/configuring-playbook-bridge-mautrix-gmessages.md new file mode 100644 index 00000000..10981bf1 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md @@ -0,0 +1,38 @@ +# Setting up Mautrix gmessages (optional) + +The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you, for bridging to [Google Messages](https://messages.google.com/). + +See the project's [documentation](https://docs.mau.fi/bridges/go/gmessages/index.html) to learn what it does and why it might be useful to you. + +Use the following playbook configuration: + +```yaml +matrix_mautrix_gmessages_enabled: true +``` + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md). + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-gmessages` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +You then need to start a chat with `@gmessagesbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index b08556fe..1794afbd 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -21,8 +21,8 @@ By default, only admins are allowed to set themselves as relay users. To allow a matrix_mautrix_whatsapp_bridge_relay_admin_only: false ``` -If you want to activate the relay bot in a room, use `!whatsapp set-relay`. -Use `!whatsapp unset-relay` to deactivate. +If you want to activate the relay bot in a room, use `!wa set-relay`. +Use `!wa unset-relay` to deactivate. ## Enable backfilling history This requires a server with MSC2716 support, which is currently an experimental feature in synapse. diff --git a/docs/configuring-playbook-bridge-mautrix-wsproxy.md b/docs/configuring-playbook-bridge-mautrix-wsproxy.md new file mode 100644 index 00000000..8e3bc2c4 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-wsproxy.md @@ -0,0 +1,33 @@ +# Setting up Mautrix wsproxy (optional) + +The playbook can install and configure [mautrix-wsproxy](https://github.com/mautrix/wsproxy) for you. + +See the project's [documentation](https://github.com/mautrix/wsproxy#readme) to learn what it does and why it might be useful to you. + + +## DNS + +You need to create a `wsproxy.DOMAIN` DNS record pointing to your Matrix server (a `CNAME` pointing to `matrix.DOMAIN`) to use wsproxy. +The hostname is configurable via a `matrix_mautrix_wsproxy_hostname` variable. + + +## Configuration + +Use the following playbook configuration: + +```yaml +matrix_mautrix_wsproxy_enabled: true + +matrix_mautrix_androidsms_appservice_token: 'secret token from bridge' +matrix_mautrix_androidsms_homeserver_token: 'secret token from bridge' +matrix_mautrix_imessage_appservice_token: 'secret token from bridge' +matrix_mautrix_imessage_homeserver_token: 'secret token from bridge' +matrix_mautrix_wsproxy_syncproxy_shared_secret: 'secret token from bridge' +``` + +Note that the tokens must match what is compiled into the [mautrix-imessage](https://github.com/mautrix/imessage) bridge running on your Mac or Android device. + + +## Usage + +Follow the [matrix-imessage documenation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s). diff --git a/docs/configuring-playbook-client-element.md b/docs/configuring-playbook-client-element.md index 1f90aca6..ec855601 100644 --- a/docs/configuring-playbook-client-element.md +++ b/docs/configuring-playbook-client-element.md @@ -32,7 +32,7 @@ Alternatively, **if there is no pre-defined variable** for an Element setting yo ## Themes -To change the look of Element, you can define your own themes manually by using the `matrix_client_element_settingDefaults_custom_themes` setting. +To change the look of Element, you can define your own themes manually by using the `matrix_client_element_setting_defaults_custom_themes` setting. Or better yet, you can automatically pull it all themes provided by the [aaronraimist/element-themes](https://github.com/aaronraimist/element-themes) project by simply flipping a flag (`matrix_client_element_themes_enabled: true`). diff --git a/docs/configuring-playbook-client-schildichat.md b/docs/configuring-playbook-client-schildichat.md new file mode 100644 index 00000000..eeab99a7 --- /dev/null +++ b/docs/configuring-playbook-client-schildichat.md @@ -0,0 +1,42 @@ +# Configuring SchildiChat (optional) + +By default, this playbook does not install the [SchildiChat](https://github.com/SchildiChat/schildichat-desktop) Matrix client web application. + +**WARNING**: SchildiChat is based on Element-web, but its releases are lagging behind. As an example (from 2023-08-31), SchildiChat is 10 releases behind (it being based on element-web `v1.11.30`, while element-web is now on `v1.11.40`). Element-web frequently suffers from security issues, so running something based on an ancient Element-web release is **dangerous**. Use SchildiChat at your own risk! + + +## Enabling SchildiChat + +If you'd like for the playbook to install SchildiChat, you can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_schildichat_enabled: true +``` + + +## Configuring SchildiChat settings + +The playbook provides some customization variables you could use to change schildichat's settings. + +Their defaults are defined in [`roles/custom/matrix-client-schildichat/defaults/main.yml`](../roles/custom/matrix-client-schildichat/defaults/main.yml) and they ultimately end up in the generated `/matrix/schildichat/config.json` file (on the server). This file is generated from the [`roles/custom/matrix-client-schildichat/templates/config.json.j2`](../roles/custom/matrix-client-schildichat/templates/config.json.j2) template. + +**If there's an existing variable** which controls a setting you wish to change, you can simply define that variable in your configuration file (`inventory/host_vars/matrix./vars.yml`) and [re-run the playbook](installing.md) to apply the changes. + +Alternatively, **if there is no pre-defined variable** for an schildichat setting you wish to change: + +- you can either **request a variable to be created** (or you can submit such a contribution yourself). Keep in mind that it's **probably not a good idea** to create variables for each one of schildichat's various settings that rarely get used. + +- or, you can **extend and override the default configuration** ([`config.json.j2`](../roles/custom/matrix-client-schildichat/templates/config.json.j2)) by making use of the `matrix_client_schildichat_configuration_extension_json_` variable. You can find information about this in [`roles/custom/matrix-client-schildichat/defaults/main.yml`](../roles/custom/matrix-client-schildichat/defaults/main.yml). + +- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_client_schildichat_configuration_default` (or `matrix_client_schildichat_configuration`). You can find information about this in [`roles/custom/matrix-client-schildichat/defaults/main.yml`](../roles/custom/matrix-client-schildichat/defaults/main.yml). + + +## Themes + +To change the look of schildichat, you can define your own themes manually by using the `matrix_client_schildichat_setting_defaults_custom_themes` setting. + +Or better yet, you can automatically pull it all themes provided by the [aaronraimist/element-themes](https://github.com/aaronraimist/element-themes) project by simply flipping a flag (`matrix_client_schildichat_themes_enabled: true`). + +If you make your own theme, we encourage you to submit it to the **aaronraimist/element-themes** project, so that the whole community could easily enjoy it. + +Note that for a custom theme to work well, all schildichat instances that you use must have the same theme installed. diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 4472e103..cafe6f4d 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -3,6 +3,8 @@ **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. +**Note**: Dimension is **[officially unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299)**. We recommend not bothering with installing it. + **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 1213f46a..53eb35de 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -218,20 +218,44 @@ jitsi_prosody_container_jvb_host_bind_port: 5222 (The default is empty; if it's set then docker forwards the port.) -The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable -`matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. +Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo +to route conferences too. -For example, +To make Traefik reverse-proxy to these additional JVBs (living on other hosts), **you would need to add the following Traefik configuration extension**: -``` yaml -matrix_nginx_proxy_proxy_jitsi_additional_jvbs: - jvb-2: 192.168.0.2 - jvb-3: 192.168.0.3 -``` +```yaml +# Traefik proxying for additional JVBs. These can't be configured using Docker +# labels, like the first JVB is, because they run on different hosts, so we add +# the necessary configuration to the file provider. +devture_traefik_provider_configuration_extension_yaml: | + http: + routers: + {% for host in groups['jitsi_jvb_servers'] %} + additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-router: + entryPoints: + - "{{ devture_traefik_entrypoint_primary }}" + rule: "Host(`{{ jitsi_hostname }}`) && PathPrefix(`/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/`)" + service: additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service + {% if devture_traefik_entrypoint_primary != 'web' %} -Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo -to route conferences too. + tls: + certResolver: "{{ devture_traefik_certResolver_primary }}" + + {% endif %} + + {% endfor %} + + services: + {% for host in groups['jitsi_jvb_servers'] %} + + additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service: + loadBalancer: + servers: + - url: "http://{{ host }}:9090/" + + {% endfor %} +``` ## (Optional) Enable Gravatar diff --git a/docs/configuring-playbook-matrix-media-repo.md b/docs/configuring-playbook-matrix-media-repo.md new file mode 100644 index 00000000..d5d6eda3 --- /dev/null +++ b/docs/configuring-playbook-matrix-media-repo.md @@ -0,0 +1,106 @@ +# Setting up matrix-media-repo (optional) + +[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification. + +Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption. Please do your research before deploying this as this project may not be useful for your environment. + +For a simpler alternative (which allows you to offload your media repository storage to S3, etc.), you can [configure S3 storage](configuring-playbook-s3.md) instead of setting up matrix-media-repo. + +## Quickstart + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_media_repo_enabled: true + +# (optional) Turned off by default +# matrix_media_repo_metrics_enabled: true +``` + +The repo is pre-configured for integrating with the Postgres database, NGINX proxy and [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles). + +By default, the media-repo will use the local filesystem for data storage. Additional options include `s3` and `IPFS` (experimental). Access token caching is also enabled by default since the logout endpoints are proxied through the media repo. + +## Configuring the media-repo + +Additional common configuration options: +```yaml + +# The postgres database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# These users have full access to the administrative functions of the media repository. +# See https://github.com/turt2live/matrix-media-repo/blob/release-v1.2.8/docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + #storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +``` + +Full list of configuration options with documentation can be found in `roles/custom/matrix-media-repo/templates/defaults/main.yml` + diff --git a/docs/configuring-playbook-mautrix-bridges.md b/docs/configuring-playbook-mautrix-bridges.md index 392be47d..c6e78d02 100644 --- a/docs/configuring-playbook-mautrix-bridges.md +++ b/docs/configuring-playbook-mautrix-bridges.md @@ -32,14 +32,18 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | '@YOUR_USERNAME:{{ matrix_domain }}': admin ``` +## encryption + Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: **for all bridges with encryption support**: + ```yaml matrix_bridges_encryption_enabled: true ``` **Alternatively**, for a specific bridge: + ```yaml matrix_mautrix_SERVICENAME_configuration_extension_yaml: | bridge: @@ -48,6 +52,24 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | default: true ``` +## relay mode + +Relay mode is off by default. If you would like to enable relay mode, add the following to your `vars.yml` file: + +**for all bridges with relay mode support**: + +```yaml +matrix_bridges_relay_enabled: true +``` + +**Alternatively**, for a specific bridge: + +```yaml +matrix_mautrix_SERVICENAME_configuration_extension_yaml: | + bridge: + relay: + enabled: true +``` You can only have one `matrix_mautrix_SERVICENAME_configuration_extension_yaml` definition in `vars.yml` per bridge, so if you need multiple pieces of configuration there, just merge them like this: diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 7e4764c2..49a47f1a 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -83,6 +83,7 @@ Name | Description `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below) +`matrix_media_repo_metrics_enabled`|Set this to `true` to make media-repo expose metrics (locally, on the container network) Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations: ```nginx diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 539f96d3..f5a18284 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -5,11 +5,13 @@ If that's alright, you can skip this. As an alternative to storing media files on the local filesystem, you can store them on [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object store. +You can do this either by sticking to Synapse's media repository and making that use S3 (read below for this method), or by switching to an external media storage implementation like [matrix-media-repo](configuring-playbook-matrix-media-repo.md). + First, [choose an Object Storage provider](#choosing-an-object-storage-provider). Then, [create the S3 bucket](#bucket-creation-and-security-configuration). -Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md) or [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md)). +Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md), [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md), or use s3 datastore with the [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)). ## Choosing an Object Storage provider @@ -105,3 +107,4 @@ To set up Synapse to store files in S3, follow the instructions for the method o - using [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md) (recommended) - using [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md) +- using [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html) diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index a0eb36ba..f5bc6f76 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -8,10 +8,11 @@ See the project's [documentation](https://github.com/matrix-org/sliding-sync) to Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). -Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. +Element X Android is [available on the Github Releases page](https://github.com/vector-im/element-x-android/releases). **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. +**NOTE**: The sliding-sync proxy is **not required** when using the **Conduit homeserver**. Starting from version `0.6.0` Conduit has native support for some sliding sync features. If there are issues with the native implementation, you might have a better experience when enabling the sliding-sync proxy anyway. ## Decide on a domain and path diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 6a215973..596f9300 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -68,21 +68,21 @@ aux_file_definitions: # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" src: /path/on/your/Ansible/computer/to/privkey.pem - # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. - # Note the indentation level. - # content: | - # FILE CONTENT - # HERE + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the cert.pem file on the server # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" src: /path/on/your/Ansible/computer/to/cert.pem - # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. - # Note the indentation level. - # content: | - # FILE CONTENT - # HERE + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the custom Traefik configuration. # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them! diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 1099553b..fdd11f2e 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_synapse_admin_enabled: true ``` -**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). +**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). ## Installing diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 4823c88d..50a048d5 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -34,13 +34,7 @@ We support a few configuration presets (`matrix_synapse_workers_preset: one-of-e If you'd like more customization power, you can start with one of the presets and tweak various `matrix_synapse_workers_*_count` variables manually. -If you increase worker counts too much, you may need to increase the maximum number of Postgres connections too (example): - -```yaml -devture_postgres_process_extra_arguments: [ - "-c 'max_connections=200'" -] -``` +When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `devture_postgres_max_connections` variable. In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index df5419bd..c7bf998f 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -15,6 +15,24 @@ matrix_coturn_enabled: false In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail. +## Manually defining your public IP + +In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn. + +If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server. + +```yaml +matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP" +``` + +If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set `matrix_coturn_turn_external_ip_address` to an empty value. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable. + +If your server has multiple external IP addresses, the Coturn role offers a different variable for specifying them: + +```yaml +# Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address +matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7'] +``` ## Using your own external Coturn server @@ -40,3 +58,6 @@ jitsi_web_stun_servers: - stun:HOSTNAME_OR_IP:PORT ``` You can put multiple host/port combinations if you like. + +## Further variables and configuration options +To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 31eea895..d4195c58 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -30,7 +30,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Additional useful services -- [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional, but recommended; after [installing](installing.md)) +- [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional; [unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299); after [installing](installing.md)) - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) @@ -51,6 +51,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configuring Element](configuring-playbook-client-element.md) (optional) +- [Storing Matrix media files using matrix-media-repo](configuring-playbook-matrix-media-repo.md) (optional) + - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) @@ -80,6 +82,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) +- [Setting up SchildiChat](configuring-playbook-client-schildichat.md) - a web client based on [Element](https://element.io/) with some extras and tweaks (optional) + ### Authentication and user-related @@ -112,6 +116,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md) (optional) +- [Setting up Mautrix Google Messages bridging](configuring-playbook-bridge-mautrix-gmessages.md) (optional) + - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional) @@ -126,6 +132,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) +- [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](configuring-playbook-bridge-mautrix-wsproxy.md) (optional) + - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 737a4457..e89161f7 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/telegram](https://mau.dev/mautrix/telegram/container_registry) - the [mautrix-telegram](https://github.com/mautrix/telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [mautrix/gmessages](https://mau.dev/mautrix/gmessages/container_registry) - the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge to [Google Messages](https://messages.google.com/) (optional) + - [mautrix/whatsapp](https://mau.dev/mautrix/whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 3c693578..8b537cd3 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -32,7 +32,7 @@ just run-tags import-postgres \ - `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!) - `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly - +- after importing a large database, it's a good idea to run [an `ANALYZE` operation](https://www.postgresql.org/docs/current/sql-analyze.html) to make Postgres rebuild its database statistics and optimize its query planner. You can easily do this via the playbook by running `just run-tags run-postgres-vacuum -e postgres_vacuum_preset=analyze` (see [Vacuuming PostgreSQL](maintenance-postgres.md#vacuuming-postgresql) for more details). ## Troubleshooting diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index fd593691..4c1f7119 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -5,7 +5,7 @@ # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime -2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` +2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` (you might have to cd to /etc/systemd/system/ first) 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)! 4. Make sure your DNS records are adjusted to point to the new server's IP address 5. Remove old server from the `inventory/hosts` file and add new server. diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index cc8898a2..74eed348 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -34,17 +34,22 @@ When in doubt, consider [making a backup](#backing-up-postgresql). ## Vacuuming PostgreSQL -Deleting lots data from Postgres does not make it release disk space, until you perform a `VACUUM` operation. +Deleting lots data from Postgres does not make it release disk space, until you perform a [`VACUUM` operation](https://www.postgresql.org/docs/current/sql-vacuum.html). -To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sql-vacuum.html), run the playbook with `--tags=run-postgres-vacuum`. +You can run different `VACUUM` operations via the playbook, with the default preset being `vacuum-complete`: -Example: +- (default) `vacuum-complete`: stops all services temporarily and runs `VACUUM FULL VERBOSE ANALYZE`. +- `vacuum-full`: stops all services temporarily and runs `VACUUM FULL VERBOSE` +- `vacuum`: runs `VACUUM VERBOSE` without stopping any services +- `vacuum-analyze` runs `VACUUM VERBOSE ANALYZE` without stopping any services +- `analyze` runs `ANALYZE VERBOSE` without stopping any services (this is just [ANALYZE](https://www.postgresql.org/docs/current/sql-analyze.html) without doing a vacuum, so it's faster) -```bash -just run-tags run-postgres-vacuum,start -``` +**Note**: for the `vacuum-complete` and `vacuum-full` presets, you'll need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`). These presets also stop all services (e.g. Synapse, etc.) while the vacuum operation is running. + +Example playbook invocations: -**Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`). +- `just run-tags run-postgres-vacuum`: runs the default `vacuum-complete` preset and restarts all services +- `just run-tags run-postgres-vacuum -e postgres_vacuum_preset=analyze`: runs the `analyze` preset with all services remaining operational at all times ## Backing up PostgreSQL @@ -82,7 +87,7 @@ This playbook can upgrade your existing Postgres setup with the following comman just run-tags upgrade-postgres ``` -**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** +**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 16 support yet.** **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` @@ -101,63 +106,15 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` ## Tuning PostgreSQL -PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `devture_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +PostgreSQL can be [tuned](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) to make it run faster. This is done by passing extra arguments to the Postgres process. -**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) +The [Postgres Ansible role](https://github.com/devture/com.devture.ansible.role.postgres) **already does some tuning by default**, which matches the [tuning logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) done by websites like https://pgtune.leopard.in.ua/. +You can manually influence some of the tuning variables . These parameters (variables) are injected via the `devture_postgres_postgres_process_extra_arguments_auto` variable. -### Here are some examples: +Most users should be fine with the automatically-done tuning. However, you may wish to: -These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. - -Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: -``` -devture_postgres_process_extra_arguments: [ - "-c shared_buffers=128MB", - "-c effective_cache_size=2304MB", - "-c effective_io_concurrency=100", - "-c random_page_cost=2.0", - "-c min_wal_size=500MB", -] -``` +- **adjust the automatically-deterimned tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) (see `devture_postgres_max_connections`, `devture_postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `devture_postgres_postgres_process_extra_arguments_auto` variable -Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: -``` -devture_postgres_process_extra_arguments: [ - "-c max_connections=100", - "-c shared_buffers=2GB", - "-c effective_cache_size=6GB", - "-c maintenance_work_mem=512MB", - "-c checkpoint_completion_target=0.9", - "-c wal_buffers=16MB", - "-c default_statistics_target=100", - "-c random_page_cost=1.1", - "-c effective_io_concurrency=200", - "-c work_mem=5242kB", - "-c min_wal_size=1GB", - "-c max_wal_size=4GB", - "-c max_worker_processes=4", - "-c max_parallel_workers_per_gather=2", - "-c max_parallel_workers=4", - "-c max_parallel_maintenance_workers=2", -] -``` +- **turn automatically-performed tuning off**: override it like this: `devture_postgres_postgres_process_extra_arguments_auto: []` -Here is an example config for a large 6 core server with 24GB of RAM: -``` -devture_postgres_process_extra_arguments: [ - "-c max_connections=40", - "-c shared_buffers=1536MB", - "-c checkpoint_completion_target=0.7", - "-c wal_buffers=16MB", - "-c default_statistics_target=100", - "-c random_page_cost=1.1", - "-c effective_io_concurrency=100", - "-c work_mem=2621kB", - "-c min_wal_size=1GB", - "-c max_wal_size=4GB", - "-c max_worker_processes=6", - "-c max_parallel_workers_per_gather=3", - "-c max_parallel_workers=6", - "-c max_parallel_maintenance_workers=3", -] -``` +- **add additional tuning parameters**: define your additional Postgres configuration parameters in `devture_postgres_postgres_process_extra_arguments_custom`. See `devture_postgres_postgres_process_extra_arguments_auto` defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) for inspiration diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 7c3ecc1b..a2ee2a9a 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -72,8 +72,10 @@ You should then be able to browse the adminer database administration GUI at htt Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. +If you have enough compute resources (CPU & RAM), you can make Synapse better use of them by [enabling load-balancing with workers](configuring-playbook-synapse.md#load-balancing-with-workers). + Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. -Tuning your PostgreSQL database will also make Synapse run significantly faster. See [maintenance-postgres.md##tuning-postgresql](maintenance-postgres.md##tuning-postgresql). +[Tuning your PostgreSQL database](maintenance-postgres.md#tuning-postgresql) could also improve Synapse performance. The playbook tunes the integrated Postgres database automatically, but based on your needs you may wish to adjust tuning variables manually. If you're using an [external Postgres database](configuring-playbook-external-postgres.md), you will aslo need to tune Postgres manually. See also [How do I optimize this setup for a low-power server?](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server). diff --git a/docs/self-building.md b/docs/self-building.md index ad29fc2d..3fe826da 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -32,6 +32,7 @@ Possibly outdated list of roles where self-building the Docker image is currentl - `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` +- `matrix-bridge-mautrix-gmessages` - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-steam` - `matrix-bot-mjolnir` diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index 2c7b3dde..17c6b6ea 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -37,6 +37,7 @@ # Keep some URIs free for different proxy/location ProxyPassMatch ^/.well-known/matrix/client ! ProxyPassMatch ^/.well-known/matrix/server ! + ProxyPassMatch ^/.well-known/matrix/support ! ProxyPassMatch ^/_matrix/identity ! ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! @@ -46,11 +47,11 @@ ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client - + # Proxy Admin API (necessary for Synapse-Admin) # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin - + # Proxy Synapse-Admin # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 @@ -64,6 +65,7 @@ Header always set Content-Type "application/json" Header always set Access-Control-Allow-Origin "*" + # Map /.well-known/matrix/server for server discovery Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server @@ -72,6 +74,16 @@ Header always set Content-Type "application/json" + + # Map /.well-known/matrix/support for support discovery + Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support + + Require all granted + + + Header always set Content-Type "application/json" + + AllowOverride All # Apache 2.4: diff --git a/examples/vars.yml b/examples/vars.yml index 784bf061..dd9a97c4 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -41,3 +41,19 @@ devture_traefik_config_certificatesResolvers_acme_email: '' # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. devture_postgres_connection_password: '' + +# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file. +# If this value is an external IP address, you can skip this section. +# +# If `ansible_host` is not the server's external IP address, you have 2 choices: +# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below) +# 2. Uncomment and adjust the line below to specify an IP address manually +# +# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API. +# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role +# (see `roles/custom/matrix-coturn/defaults/main.yml`). +# +# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses. +# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']` +# +# matrix_coturn_turn_external_ip_address: '' diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d225cc30..e5ca46e0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -101,8 +101,14 @@ matrix_homeserver_container_extra_arguments_auto: | + (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_gmessages_config_path + '/registration.yaml,dst=/matrix-mautrix-gmessages-registration.yaml,ro'] if matrix_mautrix_gmessages_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_wsproxy_config_path + '/androidsms-registration.yaml,dst=/matrix-mautrix-androidsms-registration.yaml,ro'] if matrix_mautrix_wsproxy_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_wsproxy_config_path + '/imessage-registration.yaml,dst=/matrix-mautrix-imessage-registration.yaml,ro'] if matrix_mautrix_wsproxy_enabled else []) + + (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) + (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else []) @@ -158,8 +164,14 @@ matrix_homeserver_app_service_config_files_auto: | + (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) + + (['/matrix-mautrix-gmessages-registration.yaml'] if matrix_mautrix_gmessages_enabled else []) + + (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) + + (['/matrix-mautrix-androidsms-registration.yaml'] if matrix_mautrix_wsproxy_enabled else []) + + + (['/matrix-mautrix-imessage-registration.yaml'] if matrix_mautrix_wsproxy_enabled else []) + + (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) + (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else []) @@ -270,8 +282,14 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-twitter']}] if matrix_mautrix_twitter_enabled else []) + + ([{'name': 'matrix-mautrix-gmessages.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-gmessages']}] if matrix_mautrix_gmessages_enabled else []) + + ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-whatsapp']}] if matrix_mautrix_whatsapp_enabled else []) + + ([{'name': 'matrix-mautrix-wsproxy.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-wsproxy']}] if matrix_mautrix_wsproxy_enabled else []) + + + ([{'name': 'matrix-mautrix-wsproxy-syncproxy.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-wsproxy-syncproxy']}] if matrix_mautrix_wsproxy_enabled else []) + + ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-discord']}] if matrix_mx_puppet_discord_enabled else []) + ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-groupme']}] if matrix_mx_puppet_groupme_enabled else []) @@ -294,6 +312,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else []) + + ([{'name': 'matrix-client-schildichat.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'schildichat', 'client-schildichat']}] if matrix_client_schildichat_enabled else []) + + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else []) + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) @@ -326,6 +346,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + + ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else []) + + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) @@ -395,7 +417,6 @@ devture_systemd_service_manager_services_list_auto: | ######################################################################## - ###################################################################### # # com.devture.ansible.role.playbook_state_preserver @@ -418,7 +439,6 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d ###################################################################### - ###################################################################### # # matrix-base @@ -1153,6 +1173,98 @@ matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_ge # ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-gmessages +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_gmessages_enabled: false + +matrix_mautrix_gmessages_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +matrix_mautrix_gmessages_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.as.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_gmessages_metrics_enabled` +# - `matrix_mautrix_gmessages_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_gmessages_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_gmessages_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maugmessages.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-gmessages +# +###################################################################### + +###################################################################### +# +# matrix-bridge-mautrix-wsproxy +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_wsproxy_enabled: false + +matrix_mautrix_wsproxy_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_wsproxy_homeserver_domain: "{{ matrix_domain }}" + +matrix_mautrix_wsproxy_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_wsproxy_hostname: "wsproxy.{{ matrix_mautrix_wsproxy_homeserver_domain }}" + +matrix_mautrix_wsproxy_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_mautrix_wsproxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_mautrix_wsproxy_container_network else []) + ) | unique + }} + +matrix_mautrix_wsproxy_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_mautrix_wsproxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_mautrix_wsproxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +###################################################################### +# +# /matrix-bridge-mautrix-wsproxy +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -1182,10 +1294,10 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: -# - `matrix_mautrix_twitter_metrics_enabled` -# - `matrix_mautrix_twitter_proxying_metrics_enabled` +# - `matrix_mautrix_whatsapp_metrics_enabled` +# - `matrix_mautrix_whatsapp_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled }}" # Postgres is the default, except if not using internal Postgres server matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1949,7 +2061,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | # We don't enable bots by default. matrix_bot_draupnir_enabled: false -matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_bot_draupnir_systemd_required_services_list: | {{ @@ -1989,7 +2101,7 @@ backup_borg_gid: "{{ matrix_user_gid }}" backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}" -backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/com.devture.ansible.role.postgres' if devture_postgres_enabled else '' }}" +backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/postgres' if devture_postgres_enabled else '' }}" backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" @@ -2133,6 +2245,9 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" +# We make the assumption that `ansible_host` points to an external IP address, which may not always be the case. +# Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string +# to allow auto-detection (via an EchoIP service) to happen at runtime. matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" @@ -2376,6 +2491,8 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" jitsi_uid: "{{ matrix_user_uid }}" jitsi_gid: "{{ matrix_user_gid }}" +jitsi_user_username: "{{ matrix_user_username }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. @@ -2436,6 +2553,7 @@ jitsi_etherpad_enabled: "{{ etherpad_enabled }}" jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS +jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_service_enabled }}" jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" @@ -2557,6 +2675,37 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### +###################################################################### +# +# matrix-media-repo +# +###################################################################### + +matrix_media_repo_enabled: false +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +matrix_media_repo_container_labels_traefik_enabled: false +matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_media_repo_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_media_repo_database_username: matrix_media_repo +matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}" +matrix_media_repo_database_name: matrix_media_repo + +matrix_media_repo_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else []) + }} + +###################################################################### +# +# /matrix-media-repo +# +###################################################################### ###################################################################### # @@ -2611,11 +2760,13 @@ matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_schildichat_enabled: "{{ matrix_client_schildichat_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: "{{ matrix_mautrix_wsproxy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" @@ -2638,6 +2789,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- @@ -2696,6 +2851,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) @@ -2704,6 +2861,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + + (['matrix-client-schildichat.service'] if matrix_client_schildichat_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + + ([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + (['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) @@ -2735,6 +2894,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) + + ([matrix_server_fqn_schildichat] if matrix_client_schildichat_enabled else []) + + ([matrix_server_fqn_buscarron] if matrix_bot_buscarron_enabled else []) + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) @@ -2749,6 +2910,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + + ([matrix_server_fqn_mautrix_wsproxy] if matrix_mautrix_wsproxy_enabled else []) + + ([ntfy_hostname] if ntfy_enabled else []) + ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else []) @@ -2802,10 +2965,9 @@ devture_postgres_gid: "{{ matrix_user_gid }}" devture_postgres_connection_username: matrix devture_postgres_db_name: matrix -devture_postgres_systemd_services_to_stop_for_maintenance_list: | - {{ - ['matrix-' + matrix_homeserver_implementation + '.service'] - }} +devture_postgres_systemd_services_to_stop_for_maintenance_list_auto: "{{ devture_systemd_service_manager_services_list_auto | map(attribute='name') | reject('equalto', (devture_postgres_identifier + '.service')) }}" + +devture_postgres_max_connections: "{{ 500 if matrix_synapse_workers_enabled else 200 }}" devture_postgres_managed_databases_auto: | {{ @@ -2967,6 +3129,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_mautrix_signal_database_password, }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_mautrix_wsproxy_syncproxy_database_name, + 'username': matrix_mautrix_wsproxy_syncproxy_database_username, + 'password': matrix_mautrix_wsproxy_syncproxy_database_password, + }] if (matrix_mautrix_wsproxy_enabled and matrix_mautrix_wsproxy_syncproxy_database_engine == 'postgres' and matrix_mautrix_wsproxy_syncproxy_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, @@ -2979,6 +3147,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_mautrix_twitter_database_password, }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_mautrix_gmessages_database_name, + 'username': matrix_mautrix_gmessages_database_username, + 'password': matrix_mautrix_gmessages_database_password, + }] if (matrix_mautrix_gmessages_enabled and matrix_mautrix_gmessages_database_engine == 'postgres' and matrix_mautrix_gmessages_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, @@ -3050,6 +3224,12 @@ devture_postgres_managed_databases_auto: | 'username': prometheus_postgres_exporter_database_username, 'password': prometheus_postgres_exporter_database_password, }] if (prometheus_postgres_exporter_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_media_repo_database_name, + 'username': matrix_media_repo_database_username, + 'password': matrix_media_repo_database_password, + }] if (matrix_media_repo_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname) else []) }} @@ -3092,6 +3272,7 @@ devture_postgres_backup_connection_username: "{{ devture_postgres_connection_use devture_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" devture_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" +devture_postgres_backup_postgres_role_include_name: galaxy/postgres devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" @@ -3241,7 +3422,7 @@ matrix_client_element_enable_presence_by_hs_url: | matrix_client_element_welcome_user_id: ~ -matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" +matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" ###################################################################### # @@ -3317,6 +3498,60 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbo # ###################################################################### +###################################################################### +# +# matrix-client-schildichat +# +###################################################################### + +matrix_client_schildichat_enabled: false + +matrix_client_schildichat_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +# Normally, matrix-nginx-proxy is enabled and nginx can reach schildichat over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the schildichat HTTP port to the local host. +matrix_client_schildichat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_client_schildichat_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-schildichat' }}" + +matrix_client_schildichat_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_schildichat_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_schildichat_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_schildichat_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_schildichat_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_client_schildichat_default_hs_url: "{{ matrix_homeserver_url }}" +matrix_client_schildichat_default_is_url: "{{ matrix_identity_server_url }}" + +# Use Dimension if enabled, otherwise fall back to Scalar +matrix_client_schildichat_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}" +matrix_client_schildichat_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}" +matrix_client_schildichat_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" +matrix_client_schildichat_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" + +matrix_client_schildichat_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" + +matrix_client_schildichat_registration_enabled: "{{ matrix_synapse_enable_registration }}" + +matrix_client_schildichat_enable_presence_by_hs_url: | + {{ + none + if matrix_synapse_presence_enabled + else {matrix_client_schildichat_default_hs_url: false} + }} + +matrix_client_schildichat_welcome_user_id: ~ + +matrix_client_schildichat_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" + +###################################################################### +# +# /matrix-client-schildichat +# +###################################################################### + ###################################################################### # # matrix-synapse @@ -3424,6 +3659,9 @@ matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled el matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" +# Disable creation of media repository Synapse worker when using media-repo +matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}" + ###################################################################### # # /matrix-synapse @@ -3653,6 +3891,8 @@ prometheus_container_additional_networks: | ([matrix_hookshot_container_network] if matrix_prometheus_services_connect_scraper_hookshot_enabled and matrix_hookshot_container_network != prometheus_container_network else []) + ([matrix_prometheus_nginxlog_exporter_container_network] if matrix_prometheus_services_connect_scraper_nginxlog_enabled and matrix_prometheus_nginxlog_exporter_container_network != prometheus_container_network else []) + + + ([matrix_media_repo_container_network] if matrix_prometheus_services_connect_scraper_media_repo_enabled and matrix_media_repo_container_network != prometheus_container_network else []) ) | unique }} @@ -3678,6 +3918,8 @@ prometheus_config_scrape_configs_auto: | (matrix_prometheus_services_connect_scraper_hookshot_scrape_configs if matrix_prometheus_services_connect_scraper_hookshot_enabled else []) + (matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs if matrix_prometheus_services_connect_scraper_nginxlog_enabled else []) + + + (matrix_prometheus_services_connect_scraper_media_repo_scrape_configs if matrix_prometheus_services_connect_scraper_media_repo_enabled else []) }} ###################################################################### @@ -3713,6 +3955,9 @@ matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: "{{ m matrix_prometheus_services_connect_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port | string }}" +matrix_prometheus_services_connect_scraper_media_repo_enabled: "{{ matrix_media_repo_enabled and matrix_media_repo_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_metrics_port }}" + ###################################################################### # # /matrix-prometheus-services-connect @@ -3777,6 +4022,8 @@ grafana_dashboard_download_urls: | (prometheus_postgres_exporter_dashboard_urls if prometheus_postgres_exporter_enabled else []) + (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) + + + (matrix_media_repo_dashboard_urls if matrix_media_repo_metrics_enabled else []) }} grafana_provisioning_dashboard_template_files: | @@ -3785,6 +4032,11 @@ grafana_provisioning_dashboard_template_files: | 'path': 'roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json', 'name': 'nginx-proxy.json', }] if matrix_prometheus_nginxlog_exporter_enabled else []) + + + ([{ + 'path': 'roles/custom/matrix-media-repo/templates/grafana/media-repo.json', + 'name': 'media-repo.json', + }] if matrix_media_repo_metrics_enabled else []) }} grafana_default_home_dashboard_path: |- @@ -3803,7 +4055,6 @@ grafana_default_home_dashboard_path: |- ###################################################################### - ###################################################################### # # matrix-registration @@ -3853,7 +4104,6 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener ###################################################################### - ###################################################################### # # matrix-sliding-sync @@ -3869,7 +4119,7 @@ matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" matrix_sliding_sync_path_prefix: /sliding-sync -matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_sliding_sync_container_additional_networks: | {{ @@ -3903,6 +4153,9 @@ matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}" +# Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features. +matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else matrix_homeserver_url if matrix_conduit_enabled else '' }}" + ###################################################################### # # /matrix-sliding-sync @@ -3992,7 +4245,6 @@ matrix_conduit_systemd_required_services_list: | (['docker.service']) }} - ###################################################################### # # /matrix-conduit @@ -4008,6 +4260,12 @@ matrix_conduit_systemd_required_services_list: | matrix_user_creator_users_auto: | {{ + ([{ + 'username': matrix_bot_matrix_registration_bot_matrix_user_id_localpart, + 'initial_password': matrix_bot_matrix_registration_bot_bot_password, + 'initial_type': 'admin', + }] if matrix_bot_matrix_registration_bot_enabled else []) + + ([{ 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, 'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password, @@ -4046,18 +4304,22 @@ matrix_user_creator_users_auto: | # ###################################################################### -## FIXME: Needs to be updated when there is a proper release by upstream. -matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" - matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | - {{ - ['docker.service'] - + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) - + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) - }} + {{ + ['docker.service'] + + + (['matrix-' + matrix_homeserver_implementation + '.service']) + }} + +matrix_user_verification_service_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_user_verification_service_container_network else []) + ) | unique + }} # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose diff --git a/requirements.yml b/requirements.yml index da29a379..e4c8e062 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,53 +1,71 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-1 + version: v1.0.0-3 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.15-0 + version: v1.2.7-1.8.5-0 + name: backup_borg - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 + name: container_socket_proxy +- src: git+https://github.com/geerlingguy/ansible-role-docker + version: 7.0.2 + name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a + name: docker_sdk_for_python +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.9.3-0 + name: etherpad +- src: git+https://gitlab.com/etke.cc/roles/grafana.git + version: v10.2.2-0 + name: grafana +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git + version: v9111-0 + name: jitsi +- src: git+https://gitlab.com/etke.cc/roles/ntfy.git + version: v2.8.0-0 + name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f + name: playbook_help - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 + name: playbook_runtime_messages - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 + name: playbook_state_preserver - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: v15.3-0 + version: v16.1-0 + name: postgres - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: 8e9ec48a09284c84704d7a2dce17da35f181574d + version: 5dd334c0b7f0a2795023ec9ece747c3ea3da06f2 + name: postgres_backup +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git + version: v2.48.0-0 + name: prometheus +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git + version: v1.7.0-0 + name: prometheus_node_exporter +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + version: v0.14.0-0 + name: prometheus_postgres_exporter +- src: git+https://gitlab.com/etke.cc/roles/redis.git + version: v7.2.0-0 + name: redis - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.0.0-0 + name: systemd_docker_base - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: v1.0.0-1 + version: v1.0.0-3 + name: systemd_service_manager - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 + name: timesync - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.3-0 + version: v2.10.6-0 + name: traefik - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 -- src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.9.0-0 -- src: git+https://github.com/geerlingguy/ansible-role-docker - version: 6.1.0 - name: geerlingguy.docker -- src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.1-1 -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v8615-0 - name: jitsi -- src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.6.2-0 -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.45.0-0 - name: prometheus -- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.6.0-0 -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.1-0 - name: prometheus_postgres_exporter -- src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.10-0 + name: traefik_certs_dumper diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 35974bba..6ea4e230 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -16,6 +16,9 @@ matrix_admin: '' # Global var to enable/disable encryption across all bridges with encryption support matrix_bridges_encryption_enabled: false +# Global var to enable/disable relay mode across all bridges with relay mode support +matrix_bridges_relay_enabled: false + # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. # # Unless you're wrapping this playbook in another one @@ -69,6 +72,9 @@ matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" # This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default). matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}" +# This is where you access the schildichat web client from (if enabled via matrix_client_schildichat_enabled; disabled by default). +matrix_server_fqn_schildichat: "schildichat.{{ matrix_domain }}" + # This is where you access the buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default). matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}" @@ -90,6 +96,9 @@ matrix_server_fqn_grafana: "stats.{{ matrix_domain }}" # This is where you access the Sygnal push gateway. matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}" +# This is where you access the mautrix wsproxy push gateway. +matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}" + # This is where you access the ntfy push notification service. matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" @@ -147,6 +156,12 @@ matrix_homeserver_container_url: "" # This likely gets overriden elsewhere. matrix_homeserver_container_federation_url: "" +# Specifies the public url of the Sync v3 (sliding-sync) API. +# This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`. +# Once the API is stabilized, this will no longer be required. +# See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md +matrix_homeserver_sliding_sync_url: "" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ @@ -155,7 +170,7 @@ matrix_integration_manager_ui_url: ~ # The domain name where a Jitsi server is self-hosted. # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. # See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server -matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming +matrix_client_element_jitsi_preferred_domain: '' # noqa var-naming # Controls whether Element should use End-to-End Encryption by default. # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE. diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 45c3ea2a..96c301a8 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -18,17 +18,17 @@ ] } {% endif %} - {% if matrix_client_element_jitsi_preferredDomain %}, + {% if matrix_client_element_jitsi_preferred_domain %}, "io.element.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }} }, "im.vector.riot.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }} } {% endif %} - {% if matrix_sliding_sync_enabled %}, + {% if matrix_homeserver_sliding_sync_url %}, "org.matrix.msc3575.proxy": { - "url": "{{ matrix_sliding_sync_base_url }}" + "url": "{{ matrix_homeserver_sliding_sync_url }}" } {% endif %} {% if matrix_client_element_location_sharing_enabled %}, diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 index 97e76012..fab05fba 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" { - "admins": {{ matrix_homeserver_admin_contacts|to_json }} + "contacts": {{ matrix_homeserver_admin_contacts|to_json }} {% if matrix_homeserver_support_url %}, "support_page": {{ matrix_homeserver_support_url|to_json }} {% endif %} diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 7a31514b..d4844a8e 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -5,6 +5,7 @@ matrix_bot_buscarron_enabled: true +# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/buscarron matrix_bot_buscarron_version: v1.3.1 # The hostname at which Buscarron is served. @@ -40,14 +41,13 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_buscarron_container_additional_networks: [] -# enable basic auth for metrics -matrix_bot_buscarron_basicauth_enabled: false -# temporary file name on the host that runs ansible -matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd" -# username -matrix_bot_buscarron_basicauth_user: '' -# password -matrix_bot_buscarron_basicauth_password: '' +# /metrics login +matrix_bot_buscarron_metrics_login: '' +# /metrics password +matrix_bot_buscarron_metrics_password: '' +# /metrics allowed ips +matrix_bot_buscarron_metrics_ips: [] + # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. @@ -108,8 +108,9 @@ matrix_bot_buscarron_database_password: 'some-password' matrix_bot_buscarron_database_hostname: '' matrix_bot_buscarron_database_port: 5432 matrix_bot_buscarron_database_name: 'buscarron' +matrix_bot_buscarron_database_sslmode: disable -matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode=disable' +matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode={{ matrix_bot_buscarron_database_sslmode }}' matrix_bot_buscarron_storage_database: "{{ { diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 0559efec..1c2c62e1 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -40,21 +40,6 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Determine basicauth filename - ansible.builtin.set_fact: - matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}" - when: matrix_bot_buscarron_basicauth_enabled | bool - -- name: Generate basic auth file - community.general.htpasswd: - path: "{{ matrix_bot_buscarron_basicauth_file }}" - name: "{{ matrix_bot_buscarron_basicauth_user }}" - password: "{{ matrix_bot_buscarron_basicauth_password }}" - mode: 0640 - become: false - delegate_to: 127.0.0.1 - when: matrix_bot_buscarron_basicauth_enabled | bool - - name: Ensure buscarron support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -66,14 +51,6 @@ - env - labels -- name: Ensure temporary basic auth file is removed - ansible.builtin.file: - path: "{{ matrix_bot_buscarron_basicauth_file }}" - state: absent - become: false - delegate_to: 127.0.0.1 - when: matrix_bot_buscarron_basicauth_enabled | bool - - name: Ensure buscarron image is pulled community.docker.docker_image: name: "{{ matrix_bot_buscarron_docker_image }}" diff --git a/roles/custom/matrix-bot-buscarron/templates/env.j2 b/roles/custom/matrix-bot-buscarron/templates/env.j2 index 80ddd38c..1f71802a 100644 --- a/roles/custom/matrix-bot-buscarron/templates/env.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/env.j2 @@ -17,6 +17,9 @@ BUSCARRON_PM_REPLYTO={{ matrix_bot_buscarron_pm_replyto }} BUSCARRON_SMTP_FROM={{ matrix_bot_buscarron_smtp_from }} BUSCARRON_SMTP_VALIDATION={{ matrix_bot_buscarron_smtp_validation }} BUSCARRON_NOENCRYPTION={{ matrix_bot_buscarron_noencryption }} +BUSCARRON_METRICS_LOGIN={{ matrix_bot_buscarron_metrics_login }} +BUSCARRON_METRICS_PASSWORD={{ matrix_bot_buscarron_metrics_password }} +BUSCARRON_METRICS_IPS={{ matrix_bot_buscarron_metrics_ips|default([])|join(" ") }} {% set forms = [] %} {% for form in matrix_bot_buscarron_forms -%}{{- forms.append(form.name) -}} BUSCARRON_{{ form.name|upper }}_ROOM={{ form.room|default('') }} diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 index 6a1ead33..9150a44b 100644 --- a/roles/custom/matrix-bot-buscarron/templates/labels.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -19,11 +19,6 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes= {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} {% endif %} -{% if matrix_bot_buscarron_basicauth_enabled %} -traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }} -{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %} -{% endif %} - {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} @@ -46,21 +41,6 @@ traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarr {% endif %} traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 -{% if middlewares_metrics | length > 0 %} -traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }} -{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron -traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }} -traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} -{% if matrix_bot_buscarron_container_labels_traefik_tls %} -traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080 -{% endif %} - {% endif %} {{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 00eae167..4e8f709f 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,8 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.1.2 +# renovate: datasource=docker depName=ghcr.io/matrixgpt/matrix-chatgpt-bot +matrix_bot_chatgpt_version: 3.1.4 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" @@ -88,3 +89,5 @@ matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true # matrix_bot_chatgpt_environment_variables_extension: | # chatgpt_TEXT_DONE=Done matrix_bot_chatgpt_environment_variables_extension: '' + +matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.' diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index bc8c3866..d9ca2d50 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -25,6 +25,8 @@ MATRIX_ENCRYPTION={{ matrix_bot_chatgpt_matrix_encryption|lower }} MATRIX_THREADS={{ matrix_bot_chatgpt_matrix_threads|lower }} MATRIX_RICH_TEXT={{ matrix_bot_chatgpt_matrix_rich_text|lower }} +CHATGPT_PROMPT_PREFIX={{ matrix_bot_chatgpt_matrix_bot_prompt_prefix }} + DATA_PATH=/data/ {{ matrix_bot_chatgpt_environment_variables_extension }} diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index bd0e2def..f63c36f2 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -1,13 +1,14 @@ --- # A moderation tool for Matrix -# Project source code URL: https://github.com/Gnuxie/Draupnir +# Project source code URL: https://github.com/the-draupnir-project/Draupnir matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.83.0" +# renovate: datasource=docker depName=gnuxie/draupnir +matrix_bot_draupnir_version: "v1.85.1" matrix_bot_draupnir_container_image_self_build: false -matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" +matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}" matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -36,6 +37,16 @@ matrix_bot_draupnir_access_token: "" # Note: draupnir is fairly verbose - expect a lot of messages from it. matrix_bot_draupnir_management_room: "" +# Disable Server ACL is used if you want to not give the bot the right to apply Server ACLs in rooms without complaints from the bot. +# This setting is described the following way in the Configuration. +# +# Whether or not Draupnir should apply `m.room.server_acl` events. +# DO NOT change this to `true` unless you are very confident that you know what you are doing. +# +# Please follow the advice of upstream and only change this value if you know what your doing. +# Its Exposed here because its common enough to be valid to expose. +matrix_bot_draupnir_disable_server_acl: "false" + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 95acbd35..36488a11 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -51,9 +51,11 @@ recordIgnoredInvites: false # (see verboseLogging to adjust this a bit.) managementRoom: "{{ matrix_bot_draupnir_management_room }}" +# Deprecated and will be removed in a future version. +# Running with verboseLogging is unsupported. # Whether Draupnir should log a lot more messages in the room, -# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. -verboseLogging: false +# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. +#verboseLogging: false # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. @@ -73,6 +75,10 @@ verifyPermissionsOnStartup: true # turn on to trial some untrusted configuration or lists. noop: false +# Whether or not Draupnir should apply `m.room.server_acl` events. +# DO NOT change this to `true` unless you are very confident that you know what you are doing. +disableServerACL: "{{ matrix_bot_draupnir_disable_server_acl }}" + # Whether Draupnir should check member lists quicker (by using a different endpoint), # keep in mind that enabling this will miss invited (but not joined) users. # diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 index 6995bcc3..d36aebdd 100644 --- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Draupnir bot -{% for service in matrix_bot_draupnir_systemd_required_services_list %} +{% for service in matrix_bot_draupnir_systemd_wanted_services_list %} Requires={{ service }} After={{ service }} {% endfor %} diff --git a/roles/custom/matrix-bot-go-neb/defaults/main.yml b/roles/custom/matrix-bot-go-neb/defaults/main.yml index 39b97b08..aa32eb16 100644 --- a/roles/custom/matrix-bot-go-neb/defaults/main.yml +++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml @@ -5,6 +5,7 @@ matrix_bot_go_neb_enabled: true +# renovate: datasource=docker depName=matrixdotorg/go-neb matrix_bot_go_neb_version: latest matrix_bot_go_neb_scheme: https diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 90ffa0c6..794cf841 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -20,7 +20,8 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.17 +# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/honoroit +matrix_bot_honoroit_version: v0.9.19 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" @@ -105,8 +106,9 @@ matrix_bot_honoroit_database_password: 'some-password' matrix_bot_honoroit_database_hostname: '' matrix_bot_honoroit_database_port: 5432 matrix_bot_honoroit_database_name: 'honoroit' +matrix_bot_honoroit_database_sslmode: disable -matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable' +matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode={{ matrix_bot_honoroit_database_sslmode }}' matrix_bot_honoroit_storage_database: "{{ { diff --git a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml index d8e52b71..512306e9 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml @@ -5,11 +5,14 @@ matrix_bot_matrix_registration_bot_enabled: true matrix_bot_matrix_registration_bot_container_image_self_build: false matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matrix-registration-bot.git" -matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}" +matrix_bot_matrix_registration_bot_docker_repo_version: "{{ 'main' if matrix_bot_matrix_registration_bot_version == 'latest' else ('v' + matrix_bot_matrix_registration_bot_version) }}" matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src" -matrix_bot_matrix_registration_bot_version: latest -matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_version }}" +# renovate: datasource=docker depName=moanos/matrix-registration-bot +matrix_bot_matrix_registration_bot_version: 1.3.0 +matrix_bot_matrix_registration_bot_docker_iteration: 0 +matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}" +matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_docker_tag }}" matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot" @@ -19,15 +22,15 @@ matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}" matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}" -# The access token that the bot uses to communicate in Matrix chats -# This does not necessarily need to be a privileged (admin) access token. -matrix_bot_matrix_registration_bot_bot_access_token: '' -# The access token that the bot uses to call the Matrix API for creating registration tokens. -# This needs to be a privileged (admin) access token. -# By default, we assume `matrix_bot_matrix_registration_bot_bot_access_token` is such a privileged token and we use it as is. -# If necessary, you can define your own other access token here, which might even be for a different Matrix user. -matrix_bot_matrix_registration_bot_api_token: "{{ matrix_bot_matrix_registration_bot_bot_access_token }}" +# The bot's password (can also be used to login via a client like element) +matrix_bot_matrix_registration_bot_bot_password: '' + +# Optional variable that only needs to be set if the bot account is not admin +# Needs to be a valid access token of an admin account +matrix_bot_matrix_registration_bot_api_token: '' + +matrix_bot_matrix_registration_bot_device_id: "matrix-docker-ansible-deploy" matrix_bot_matrix_registration_bot_logging_level: info matrix_bot_matrix_registration_environment_variables_extension: '' diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml new file mode 100644 index 00000000..ae4433b8 --- /dev/null +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml @@ -0,0 +1,12 @@ +--- + +- name: Delete cache files + ansible.builtin.file: + state: "{{ item }}" + path: "{{ matrix_bot_matrix_registration_bot_data_path }}" + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - absent + - directory diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 83291fb6..cd11c1d5 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -18,3 +18,9 @@ block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + +- tags: + - bot-matrix-registration-bot-clean-cache + block: + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/clean_cache.yml" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml index 515cd997..655f3d27 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml @@ -9,7 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true} - - - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} + - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true} when: "item.when | bool" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml index 39e97cde..b7a47563 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml @@ -5,6 +5,13 @@ msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" + with_items: + - "matrix_bot_matrix_registration_bot_bot_password" + +- name: (Deprecation) Catch and report old settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which is deprecated - Please check the documentation on how to configure the matrix-registration-bot. + when: "item in vars" with_items: - "matrix_bot_matrix_registration_bot_bot_access_token" - - "matrix_bot_matrix_registration_bot_api_token" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 index 756efb01..4a2242aa 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 +++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 @@ -1,12 +1,16 @@ bot: server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }} username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }} - access_token: {{ matrix_bot_matrix_registration_bot_bot_access_token|to_json }} + password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }} + api: # API endpoint of the registration tokens base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }} # Access token of an administrator on the server +{% if matrix_bot_matrix_registration_bot_api_token | length > 0 %} token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }} +{% endif %} + logging: level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }} diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml index 03f11767..2f43024a 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -9,6 +9,7 @@ matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/ma matrix_bot_matrix_reminder_bot_docker_repo_version: "{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" +# renovate: datasource=docker depName=anoa/matrix-reminder-bot matrix_bot_matrix_reminder_bot_version: release-v0.2.1 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index a31d8191..3c93b8ab 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -10,7 +10,8 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}" -matrix_bot_maubot_version: v0.4.1 +# renovate: datasource=docker depName=dock.mau.dev/maubot/maubot +matrix_bot_maubot_version: v0.4.2 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}" matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}" @@ -31,8 +32,9 @@ matrix_bot_maubot_database_password: ~ matrix_bot_maubot_database_hostname: '' matrix_bot_maubot_database_port: 5432 matrix_bot_maubot_database_name: matrix_bot_maubot +matrix_bot_maubot_database_sslmode: disable -matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode=disable +matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode={{ matrix_bot_maubot_database_sslmode }} matrix_bot_maubot_database_uri: "{{ { diff --git a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 index 49bbcb87..7750ec9a 100644 --- a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 +++ b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 @@ -60,7 +60,7 @@ server: homeservers: {{ matrix_domain }}: # Client-server API URL - url: "https://{{ matrix_server_fqn_matrix }}" + url: {{ matrix_homeserver_container_url | to_json }} # registration_shared_secret from synapse config # You can leave this empty if you don't have access to the homeserver. # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will. diff --git a/roles/custom/matrix-bot-mjolnir/defaults/main.yml b/roles/custom/matrix-bot-mjolnir/defaults/main.yml index ecbbdb88..1c174477 100644 --- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml @@ -4,7 +4,8 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.6.4" +# renovate: datasource=docker depName=matrixdotorg/mjolnir +matrix_bot_mjolnir_version: "v1.6.5" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" diff --git a/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 8ac872b7..23561c3c 100644 --- a/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Mjolnir bot -{% for service in matrix_bot_mjolnir_systemd_required_services_list %} +{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %} Requires={{ service }} After={{ service }} {% endfor %} diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 0c9db2d7..580dcfed 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,8 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.14 +# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/postmoogle +matrix_bot_postmoogle_version: v0.9.16 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" @@ -45,8 +46,9 @@ matrix_bot_postmoogle_database_password: 'some-password' matrix_bot_postmoogle_database_hostname: '' matrix_bot_postmoogle_database_port: 5432 matrix_bot_postmoogle_database_name: 'postmoogle' +matrix_bot_postmoogle_database_sslmode: disable -matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode=disable' +matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode={{ matrix_bot_postmoogle_database_sslmode }}' matrix_bot_postmoogle_storage_database: "{{ { @@ -64,12 +66,15 @@ matrix_bot_postmoogle_database_dialect: "{{ # The bot's username. This user needs to be created manually beforehand. -# Also see `matrix_bot_postmoogle_password`. +# Also see `matrix_bot_postmoogle_password` or `matrix_bot_postmoogle_sharedsecret` matrix_bot_postmoogle_login: "postmoogle" # The password that the bot uses to authenticate. matrix_bot_postmoogle_password: '' +# Alternative to password - shared secret requires matrix_bot_postmoogle_login to be MXID +matrix_bot_postmoogle_sharedsecret: '' + matrix_bot_postmoogle_homeserver: "{{ matrix_homeserver_container_url }}" # Command prefix @@ -78,6 +83,12 @@ matrix_bot_postmoogle_prefix: '!pm' # Max email size in megabytes, including attachments matrix_bot_postmoogle_maxsize: '1024' +# Optional SMTP relay mode +matrix_bot_postmoogle_relay_host: '' +matrix_bot_postmoogle_relay_port: '' +matrix_bot_postmoogle_relay_username: '' +matrix_bot_postmoogle_relay_password: '' + # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: @@ -101,9 +112,6 @@ matrix_bot_postmoogle_monitoring_healthchecks_duration: 60 # Log level matrix_bot_postmoogle_loglevel: 'INFO' -# Disable encryption -matrix_bot_postmoogle_noencryption: false - # deprecated, use matrix_bot_postmoogle_domains matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" @@ -146,6 +154,9 @@ matrix_bot_postmoogle_tls_required: false # trusted proxies matrix_bot_postmoogle_proxies: [] +# known forwarders +matrix_bot_postmoogle_mailboxes_forwarded: [] + # reserved mailboxes matrix_bot_postmoogle_mailboxes_reserved: [] diff --git a/roles/custom/matrix-bot-postmoogle/templates/env.j2 b/roles/custom/matrix-bot-postmoogle/templates/env.j2 index 072d12da..8a3eb71b 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/env.j2 @@ -1,5 +1,6 @@ POSTMOOGLE_LOGIN={{ matrix_bot_postmoogle_login }} POSTMOOGLE_PASSWORD={{ matrix_bot_postmoogle_password }} +POSTMOOGLE_SHAREDSECRET={{ matrix_bot_postmoogle_sharedsecret }} POSTMOOGLE_HOMESERVER={{ matrix_bot_postmoogle_homeserver }} POSTMOOGLE_DOMAINS={{ matrix_bot_postmoogle_domains | join(' ') }} POSTMOOGLE_PORT={{ matrix_bot_postmoogle_port }} @@ -8,7 +9,6 @@ POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }} POSTMOOGLE_PREFIX={{ matrix_bot_postmoogle_prefix }} POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }} POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }} -POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }} POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }} POSTMOOGLE_TLS_PORT={{ matrix_bot_postmoogle_tls_port }} POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }} @@ -16,10 +16,15 @@ POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }} POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }} POSTMOOGLE_DATA_SECRET={{ matrix_bot_postmoogle_data_secret }} POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies | join(' ') }} +POSTMOOGLE_RELAY_HOST={{ matrix_bot_postmoogle_relay_host }} +POSTMOOGLE_RELAY_PORT={{ matrix_bot_postmoogle_relay_port }} +POSTMOOGLE_RELAY_USERNAME={{ matrix_bot_postmoogle_relay_username }} +POSTMOOGLE_RELAY_PASSWORD={{ matrix_bot_postmoogle_relay_password }} POSTMOOGLE_MONITORING_SENTRY_DSN={{ matrix_bot_postmoogle_monitoring_sentry_dsn }} POSTMOOGLE_MONITORING_SENTRY_RATE={{ matrix_bot_postmoogle_monitoring_sentry_rate }} POSTMOOGLE_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_postmoogle_monitoring_healthchecks_uuid }} POSTMOOGLE_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_postmoogle_monitoring_healthchecks_duration }} +POSTMOOGLE_MAILBOXES_FORWARDED={{ matrix_bot_postmoogle_mailboxes_forwarded | join(' ') }} POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved | join(' ') }} POSTMOOGLE_MAILBOXES_ACTIVATION={{ matrix_bot_postmoogle_mailboxes_activation }} diff --git a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml index ec194855..a0dfc9f1 100644 --- a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml @@ -5,7 +5,8 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_image_self_build: false -matrix_appservice_discord_version: v3.1.0 +# renovate: datasource=docker depName=ghcr.io/matrix-org/matrix-appservice-discord +matrix_appservice_discord_version: v4.0.0 matrix_appservice_discord_docker_image: "{{ matrix_appservice_discord_docker_image_name_prefix }}matrix-org/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_discord_container_image_self_build else 'ghcr.io/' }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index b6e6f119..3dda9b75 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,8 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.38.0 +# renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc +matrix_appservice_irc_version: 1.0.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" @@ -33,10 +34,11 @@ matrix_appservice_irc_database_password: 'some-password' matrix_appservice_irc_database_hostname: '' matrix_appservice_irc_database_port: 5432 matrix_appservice_irc_database_name: matrix_appservice_irc +matrix_appservice_irc_database_sslmode: disable # This is just the Postgres connection string, if Postgres is used. # Naming clashes with `matrix_appservice_irc_database_connectionString` somewhat. -matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable' +matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode={{ matrix_appservice_irc_database_sslmode }}' # This is what actually goes into `database.connectionString` for the bridge. matrix_appservice_irc_database_connectionString: |- # noqa var-naming diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml index 86c3366c..9f86be5f 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml @@ -110,6 +110,8 @@ matrix_appservice_kakaotalk_login_shared_secret: '' matrix_appservice_kakaotalk_bridge_login_shared_secret_map: "{{ {matrix_appservice_kakaotalk_homeserver_domain: matrix_appservice_kakaotalk_login_shared_secret} if matrix_appservice_kakaotalk_login_shared_secret else {} }}" +matrix_appservice_kakaotalk_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_appservice_kakaotalk_bridge_permissions: | {{ {matrix_appservice_kakaotalk_homeserver_domain: 'user'} diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 index 803d443f..cf3644a9 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 @@ -220,7 +220,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!kt set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_appservice_kakaotalk_bridge_relay_enabled }} # The formats to use when sending messages to KakaoTalk via a relay user. # # Available variables: diff --git a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml index 6fb6d7e7..a803dbe9 100644 --- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml @@ -11,7 +11,8 @@ matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/apps # matrix_appservice_slack_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_slack_version: 2.0.2 +# renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-slack +matrix_appservice_slack_version: 2.1.2 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_docker_image_tag }}" matrix_appservice_slack_docker_image_tag: "{{ 'latest' if matrix_appservice_slack_version == 'latest' else ('release-' + matrix_appservice_slack_version) }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" @@ -61,10 +62,11 @@ matrix_appservice_slack_database_password: 'some-passsword' matrix_appservice_slack_database_hostname: '' matrix_appservice_slack_database_port: 5432 matrix_appservice_slack_database_name: matrix_appservice_slack +matrix_appservice_slack_database_sslmode: disable # This is just the Postgres connection string, if Postgres is used. # Naming clashes with `matrix_appservice_slack_database_connectionString` somewhat. -matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable' +matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode={{ matrix_appservice_slack_database_sslmode }}' # This is what actually goes into `database.connectionString` for the bridge. matrix_appservice_slack_database_connectionString: |- # noqa var-naming diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index 75e9de55..ea24593a 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -4,7 +4,8 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.4 +# renovate: datasource=docker depName=ghcr.io/beeper/linkedin +matrix_beeper_linkedin_version: latest # See: https://github.com/beeper/linkedin/pkgs/container/linkedin matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" @@ -14,7 +15,7 @@ matrix_beeper_linkedin_docker_image_tag: "{{ 'latest' if matrix_beeper_linkedin_ matrix_beeper_linkedin_container_image_self_build: false matrix_beeper_linkedin_container_image_self_build_repo: "https://github.com/beeper/linkedin" -matrix_beeper_linkedin_container_image_self_build_branch: "{{ matrix_beeper_linkedin_version }}" +matrix_beeper_linkedin_container_image_self_build_branch: "{{ 'master' if matrix_beeper_linkedin_version == 'latest' else matrix_beeper_linkedin_version }}" matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin" matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config" @@ -61,8 +62,9 @@ matrix_beeper_linkedin_database_password: 'some-password' matrix_beeper_linkedin_database_hostname: '' matrix_beeper_linkedin_database_port: 5432 matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin' +matrix_beeper_linkedin_database_sslmode: disable -matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode=disable' +matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode={{ matrix_beeper_linkedin_database_sslmode }}' matrix_beeper_linkedin_appservice_database_type: "{{ { diff --git a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml index 477f2127..7b77e3fb 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml @@ -8,6 +8,7 @@ matrix_go_skype_bridge_container_image_self_build: false matrix_go_skype_bridge_container_image_self_build_repo: "https://github.com/kelaresg/go-skype-bridge.git" matrix_go_skype_bridge_container_image_self_build_branch: "{{ 'master' if matrix_go_skype_bridge_version == 'latest' else matrix_go_skype_bridge_version }}" +# renovate: datasource=docker depName=nodefyme/go-skype-bridge matrix_go_skype_bridge_version: latest matrix_go_skype_bridge_docker_image: "{{ matrix_go_skype_bridge_docker_image_name_prefix }}nodefyme/go-skype-bridge:{{ matrix_go_skype_bridge_version }}" matrix_go_skype_bridge_docker_image_name_prefix: "{{ 'localhost/' if matrix_go_skype_bridge_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -59,8 +60,9 @@ matrix_go_skype_bridge_database_password: 'some-password' matrix_go_skype_bridge_database_hostname: '' matrix_go_skype_bridge_database_port: 5432 matrix_go_skype_bridge_database_name: 'matrix_go_skype_bridge' +matrix_go_skype_bridge_database_sslmode: disable -matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode=disable' +matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode={{ matrix_go_skype_bridge_database_sslmode }}' matrix_go_skype_bridge_appservice_database_type: "{{ { diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index ba5471cc..c8d1bf94 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -4,7 +4,8 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.14.2 +# renovate: datasource=docker depName=hif1/heisenbridge +matrix_heisenbridge_version: 1.14.6 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" @@ -30,7 +31,15 @@ matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_heisenbridge_appservice_token: '' matrix_heisenbridge_homeserver_token: '' -# Default registration file +matrix_heisenbridge_config_media_url: "{{ matrix_homeserver_url }}" +matrix_heisenbridge_config_displayname: "Heisenbridge" + +matrix_heisenbridge_registration_yaml_heisenbridge: + media_url: "{{ matrix_heisenbridge_config_media_url }}" + displayname: "{{ matrix_heisenbridge_config_displayname }}" + +# Default registration file consumed by both the homeserver and Heisenbridge. +# Besides registration information, it contains configuration (see the heisenbridge key). matrix_heisenbridge_registration_yaml: id: heisenbridge url: http://matrix-heisenbridge:9898 @@ -44,5 +53,6 @@ matrix_heisenbridge_registration_yaml: exclusive: true aliases: [] rooms: [] + heisenbridge: "{{ matrix_heisenbridge_registration_yaml_heisenbridge }}" matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml | from_yaml }}" diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 3c1ba519..60807aa2 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,8 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.4.0 +# renovate: datasource=docker depName=halfshot/matrix-hookshot +matrix_hookshot_version: 4.6.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index dbb73aa4..af12acac 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,9 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.5.0 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/discord +matrix_mautrix_discord_version: v0.6.4 + # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" @@ -27,7 +29,7 @@ matrix_mautrix_discord_command_prefix: "!discord" matrix_mautrix_discord_bridge_permissions: | {{ - {matrix_mautrix_discord_homeserver_domain: 'user'} + {'*': 'relay', matrix_mautrix_discord_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} @@ -70,8 +72,9 @@ matrix_mautrix_discord_database_password: 'some-password' matrix_mautrix_discord_database_hostname: '' matrix_mautrix_discord_database_port: 5432 matrix_mautrix_discord_database_name: 'matrix_mautrix_discord' +matrix_mautrix_discord_database_sslmode: disable -matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode=disable' +matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode={{ matrix_mautrix_discord_database_sslmode }}' matrix_mautrix_discord_appservice_database_type: "{{ { diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index dcd9fdfa..9d9439b3 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,8 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.5.0 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/facebook +matrix_mautrix_facebook_version: v0.5.1 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" @@ -58,7 +59,7 @@ matrix_mautrix_facebook_metrics_proxying_enabled: false matrix_mautrix_facebook_bridge_permissions: | {{ - {matrix_mautrix_facebook_homeserver_domain: 'user'} + {'*': 'relay', matrix_mautrix_facebook_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} @@ -103,6 +104,9 @@ matrix_mautrix_facebook_login_shared_secret: '' matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_facebook_appservice_bot_username: facebookbot matrix_mautrix_facebook_bridge_presence: true diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 636b442b..7ec9342a 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -206,7 +206,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_mautrix_facebook_relay_enabled }} # The formats to use when sending messages to Messenger via a relay user. # # Available variables: diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml new file mode 100644 index 00000000..9bf55e17 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -0,0 +1,154 @@ +--- +# mautrix-gmessages is a Matrix <-> gmessages bridge +# Project source code URL: https://github.com/mautrix/gmessages + +matrix_mautrix_gmessages_enabled: true + +matrix_mautrix_gmessages_container_image_self_build: false +matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/mautrix/gmessages.git" +matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}" + +# renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages +matrix_mautrix_gmessages_version: v0.2.2 + +# See: https://mau.dev/mautrix/gmessages/container_registry +matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_name_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}" +matrix_mautrix_gmessages_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_gmessages_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_gmessages_docker_image_force_pull: "{{ matrix_mautrix_gmessages_docker_image.endswith(':latest') }}" + +matrix_mautrix_gmessages_base_path: "{{ matrix_base_data_path }}/mautrix-gmessages" +matrix_mautrix_gmessages_config_path: "{{ matrix_mautrix_gmessages_base_path }}/config" +matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/data" +matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src" + +matrix_mautrix_gmessages_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}" +matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080" + +matrix_mautrix_gmessages_command_prefix: "!gm" + +# A list of extra arguments to pass to the container +matrix_mautrix_gmessages_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-gmessages.service depends on. +matrix_mautrix_gmessages_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-gmessages.service wants +matrix_mautrix_gmessages_systemd_wanted_services_list: [] + +matrix_mautrix_gmessages_appservice_token: '' +matrix_mautrix_gmessages_homeserver_token: '' + +matrix_mautrix_gmessages_appservice_bot_username: gmessagesbot + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_mautrix_gmessages_logging_level: 'warn' + +# Whether or not created rooms should have federation enabled. +# If false, created portal rooms will never be federated. +matrix_mautrix_gmessages_federate_rooms: true + +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_gmessages_metrics_proxying_enabled`. +matrix_mautrix_gmessages_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-gmessages`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_gmessages_metrics_proxying_enabled: false + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_gmessages_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_gmessages_database_*` variables +matrix_mautrix_gmessages_database_engine: 'sqlite' + +matrix_mautrix_gmessages_sqlite_database_path_local: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" +matrix_mautrix_gmessages_sqlite_database_path_in_container: "/data/mautrix-gmessages.db" + +matrix_mautrix_gmessages_database_username: 'matrix_mautrix_gmessages' +matrix_mautrix_gmessages_database_password: 'some-password' +matrix_mautrix_gmessages_database_hostname: '' +matrix_mautrix_gmessages_database_port: 5432 +matrix_mautrix_gmessages_database_name: 'matrix_mautrix_gmessages' +matrix_mautrix_gmessages_database_sslmode: disable + +matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode={{ matrix_mautrix_gmessages_database_sslmode }}' + +matrix_mautrix_gmessages_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_gmessages_database_engine] +}}" + +matrix_mautrix_gmessages_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_gmessages_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_gmessages_database_connection_string, + }[matrix_mautrix_gmessages_database_engine] +}}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_gmessages_login_shared_secret: '' +matrix_mautrix_gmessages_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}" + +# Enable End-to-bridge encryption +matrix_mautrix_gmessages_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_gmessages_bridge_encryption_default: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" +matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" + +matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true +matrix_mautrix_gmessages_bridge_mute_bridging: true + +matrix_mautrix_gmessages_bridge_permissions: | + {{ + {'*': 'relay', matrix_mautrix_gmessages_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + +# Default mautrix-gmessages configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_gmessages_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_gmessages_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_gmessages_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_gmessages_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_gmessages_configuration_yaml`. + +matrix_mautrix_gmessages_configuration_extension: "{{ matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml if matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_gmessages_configuration_yaml`. +matrix_mautrix_gmessages_configuration: "{{ matrix_mautrix_gmessages_configuration_yaml | from_yaml | combine(matrix_mautrix_gmessages_configuration_extension, recursive=True) }}" + +matrix_mautrix_gmessages_registration_yaml: | + id: gmessages + url: {{ matrix_mautrix_gmessages_appservice_address }} + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_gmessages_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@gmessages_.+:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_gmessages_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_gmessages_registration: "{{ matrix_mautrix_gmessages_registration_yaml | from_yaml }}" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 00000000..c5cb1ba8 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-gmessages-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-gmessages role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_gmessages_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-gmessages metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_mautrix_gmessages_nginx_metrics_configuration_block: | + location /metrics/mautrix-gmessages { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-gmessages:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-gmessages metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_gmessages_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml new file mode 100644 index 00000000..45da31da --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_gmessages_enabled | bool and matrix_mautrix_gmessages_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + - install-all + - install-mautrix-gmessages + block: + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + block: + - when: not matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml new file mode 100644 index 00000000..73038c4c --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml @@ -0,0 +1,140 @@ +--- + +- ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: false + +- when: "matrix_mautrix_gmessages_database_engine == 'postgres'" + block: + - name: Check if an SQLite database already exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + register: matrix_mautrix_gmessages_sqlite_database_path_local_stat_result + + - when: "matrix_mautrix_gmessages_sqlite_database_path_local_stat_result.stat.exists | bool" + block: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: + src: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_gmessages_database_connection_string }}" + caller: "{{ role_path | basename }}" + engine_variable_name: 'matrix_mautrix_gmessages_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-gmessages.service'] + pgloader_options: ['--with "quote identifiers"'] + + - ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: true + +- name: Ensure Mautrix gmessages paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_mautrix_gmessages_base_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_config_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_data_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}", when: "{{ matrix_mautrix_gmessages_container_image_self_build }}"} + when: item.when | bool + +- name: Ensure Mautrix gmessages image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_gmessages_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_docker_image_force_pull }}" + when: not matrix_mautrix_gmessages_container_image_self_build + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Mautrix gmessages repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_mautrix_gmessages_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + version: "{{ matrix_mautrix_gmessages_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_mautrix_gmessages_git_pull_results + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Ensure Mautrix gmessages Docker image is built + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_gmessages_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + pull: true + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Check if an old database file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + register: matrix_mautrix_gmessages_stat_database + +- name: Check if an old matrix state file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + register: matrix_mautrix_gmessages_stat_mx_state + +- name: (Data relocation) Ensure matrix-mautrix-gmessages.service is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + failed_when: false + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages database file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db {{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages mx-state file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mx-state.json {{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + when: "matrix_mautrix_gmessages_stat_mx_state.stat.exists" + +- name: Ensure mautrix-gmessages config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-gmessages registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_registration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-gmessages.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-gmessages.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + mode: 0644 + +- name: Ensure matrix-mautrix-gmessages.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-gmessages.service" + state: restarted + daemon_reload: true + when: "matrix_mautrix_gmessages_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml new file mode 100644 index 00000000..e324a523 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml @@ -0,0 +1,20 @@ +--- + +- name: Check existence of matrix-mautrix-gmessages service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + register: matrix_mautrix_gmessages_service_stat + +- when: matrix_mautrix_gmessages_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-gmessages is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-mautrix-gmessages.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml new file mode 100644 index 00000000..acfffa75 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required mautrix-gmessages settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_mautrix_gmessages_appservice_token', when: true} + - {'name': 'matrix_mautrix_gmessages_homeserver_token', when: true} + - {'name': 'matrix_mautrix_gmessages_database_hostname', when: "{{ matrix_mautrix_gmessages_database_engine == 'postgres' }}"} + +- name: (Deprecation) Catch and report renamed settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_mautrix_gmessages_log_level', 'new': 'matrix_mautrix_gmessages_logging_level'} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 new file mode 100644 index 00000000..6dc136bb --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 @@ -0,0 +1,292 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_gmessages_homeserver_address }} + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: {{ matrix_mautrix_gmessages_homeserver_domain }} + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_gmessages_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: postgres + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }} + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: gmessages + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_mautrix_gmessages_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Google Messages bridge bot + avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + +# Segment API key to track some events, like provisioning API login and encryption errors. +segment_key: null +# Optional user_id to use when sending Segment events. If null, defaults to using mxID. +segment_user_id: null + +# Prometheus config. +metrics: + # Enable prometheus metrics? + enabled: {{ matrix_mautrix_gmessages_metrics_enabled | to_json }} + # IP and port where the metrics listener should be. The path is always /metrics + listen: 127.0.0.1:8001 + +google_messages: + # OS name to tell the phone. This is the name that shows up in the paired devices list. + os: mautrix-gmessages + # Browser type to tell the phone. This decides which icon is shown. + # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE + browser: OTHER + + # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser? + # If this is disabled, the user must manually use the `reconnect` command to reactivate the bridge. + aggressive_reconnect: false + +# Bridge config +bridge: + # Localpart template of MXIDs for SMS users. + # {{ '{{.}}' }} is replaced with an identifier of the recipient. + username_template: "{{ 'gmessages_{{.}}' }}" + # Displayname template for SMS users. + # {{ '{{.FullName}}' }} - Full name provided by the phone + # {{ '{{.FirstName}}' }} - First name provided by the phone + # {{ '{{.PhoneNumber}}' }} - Formatted phone number provided by the phone + displayname_template: "{{ '{{or .FullName .PhoneNumber}}' }}" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }} + # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone? + delivery_receipts: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + + portal_message_buffer: 128 + + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Number of chats to sync when connecting to Google Messages. + initial_chat_sync_count: 25 + # Backfill settings + backfill: + # Number of messages to backfill in new chats. + initial_limit: 50 + # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message. + missed_limit: 100 + + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_gmessages_homeserver_domain }}": {{ matrix_mautrix_gmessages_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: {{ matrix_mautrix_gmessages_bridge_login_shared_secret_map|to_json }} + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: {{ matrix_mautrix_gmessages_bridge_mute_bridging | to_json }} + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: null + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: null + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms|to_json }} + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!gm" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Google Messages bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow|to_json }} + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: {{ matrix_mautrix_gmessages_bridge_encryption_default|to_json }} + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow|to_json }} + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to link their own Google Messages on android. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }} + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: {{ matrix_mautrix_gmessages_logging_level }} + writers: + - type: stdout + format: pretty-colored diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 new file mode 100644 index 00000000..fb34e95b --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix gmessages bridge +{% for service in matrix_mautrix_gmessages_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_gmessages_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-gmessages \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_gmessages_config_path }}:/config:z \ + -v {{ matrix_mautrix_gmessages_data_path }}:/data:z \ + --workdir=/data \ + {% for arg in matrix_mautrix_gmessages_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_gmessages_docker_image }} \ + /usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-gmessages + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index de012304..1dc78778 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,8 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.5.0 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/googlechat +matrix_mautrix_googlechat_version: v0.5.1 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml index 65b4a6ff..dfc6187a 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -8,6 +8,7 @@ matrix_mautrix_hangouts_container_image_self_build: false matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/mautrix/hangouts.git" matrix_mautrix_hangouts_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_hangouts_version == 'latest' else matrix_mautrix_googlechat_version }}" +# renovate: datasource=docker depName=dock.mau.dev/mautrix/hangouts matrix_mautrix_hangouts_version: latest # See: https://mau.dev/mautrix/hangouts/container_registry matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}mautrix/hangouts:{{ matrix_mautrix_hangouts_version }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index 2288fb77..36d7a702 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,8 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.3.0 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/instagram +matrix_mautrix_instagram_version: v0.3.1 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" @@ -27,7 +28,7 @@ matrix_mautrix_instagram_command_prefix: "!ig" matrix_mautrix_instagram_bridge_permissions: | {{ - {matrix_mautrix_instagram_homeserver_domain: 'user'} + {'*': 'relay', matrix_mautrix_instagram_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} @@ -83,6 +84,9 @@ matrix_mautrix_instagram_login_shared_secret: '' matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_instagram_appservice_bot_username: instagrambot matrix_mautrix_instagram_bridge_presence: true diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 1949a253..e3d4be52 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -196,6 +196,23 @@ bridge: # The shared secret to authorize users of the API. # Set to "generate" to generate and save a new token. shared_secret: generate + relay: + # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: {{ matrix_mautrix_instagram_relay_enabled }} + # The formats to use when sending messages to Instagram via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content + # + # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed. + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' # Python logging configuration. # diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index ca9bab54..b26c1e7c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,9 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" +# renovate: datasource=docker depName=dock.mau.dev/mautrix/signal matrix_mautrix_signal_version: v0.4.3 +# renovate: datasource=docker depName=signald/signald matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" @@ -104,7 +106,7 @@ matrix_mautrix_signal_appservice_database: "{{ matrix_mautrix_signal_login_shared_secret: '' # Enable bridge relay bot functionality -matrix_mautrix_signal_relaybot_enabled: false +matrix_mautrix_signal_relaybot_enabled: "{{ matrix_bridges_relay_enabled }}" # Permissions for using the bridge. # Permitted values: @@ -119,8 +121,7 @@ matrix_mautrix_signal_relaybot_enabled: false # This variable used to contain a YAML string, but now needs to contain a hashmap/dictionary. matrix_mautrix_signal_bridge_permissions: | {{ - {'*': 'relay'} - | combine({matrix_mautrix_signal_homeserver_domain: 'user'}) + {'*': 'relay', matrix_mautrix_signal_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index 2b6c7752..1f5e46c5 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -8,6 +8,7 @@ matrix_mautrix_slack_container_image_self_build: false matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/slack.git" matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}" +# renovate: datasource=docker depName=dock.mau.dev/mautrix/slack matrix_mautrix_slack_version: latest # See: https://mau.dev/mautrix/slack/container_registry matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_name_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}" @@ -27,7 +28,7 @@ matrix_mautrix_slack_command_prefix: "!slack" matrix_mautrix_slack_bridge_permissions: | {{ - {matrix_mautrix_slack_homeserver_domain: 'user'} + {'*': 'relay', matrix_mautrix_slack_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} @@ -66,8 +67,9 @@ matrix_mautrix_slack_database_password: 'some-password' matrix_mautrix_slack_database_hostname: '' matrix_mautrix_slack_database_port: 5432 matrix_mautrix_slack_database_name: 'matrix_mautrix_slack' +matrix_mautrix_slack_database_sslmode: disable -matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode=disable' +matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode={{ matrix_mautrix_slack_database_sslmode }}' matrix_mautrix_slack_appservice_database_type: "{{ { diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 79f83593..51e19d51 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,8 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.14.1 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/telegram +matrix_mautrix_telegram_version: v0.15.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" @@ -31,7 +32,7 @@ matrix_mautrix_telegram_command_prefix: "!tg" matrix_mautrix_telegram_bridge_permissions: | {{ - {matrix_mautrix_telegram_homeserver_domain: 'full'} + {'*': 'relaybot', matrix_mautrix_telegram_homeserver_domain: 'full'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 55e8411b..6b2d8bc8 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,8 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.6 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter +matrix_mautrix_twitter_version: v0.1.7 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 9ee461b5..7756cb67 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,9 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.6 +# renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp +matrix_mautrix_whatsapp_version: v0.10.4 + # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" @@ -74,8 +76,9 @@ matrix_mautrix_whatsapp_database_password: 'some-password' matrix_mautrix_whatsapp_database_hostname: '' matrix_mautrix_whatsapp_database_port: 5432 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' +matrix_mautrix_whatsapp_database_sslmode: disable -matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode=disable' +matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode={{ matrix_mautrix_whatsapp_database_sslmode }}' matrix_mautrix_whatsapp_appservice_database_type: "{{ { @@ -108,12 +111,12 @@ matrix_mautrix_whatsapp_bridge_allow_user_invite: true matrix_mautrix_whatsapp_bridge_permissions: | {{ - {matrix_mautrix_whatsapp_homeserver_domain: 'user'} + {'*': 'relay', matrix_mautrix_whatsapp_homeserver_domain: 'user'} | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} # Enable bridge relay functionality -matrix_mautrix_whatsapp_bridge_relay_enabled: false +matrix_mautrix_whatsapp_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" # Only allow admins on this home server to set themselves as a relay user matrix_mautrix_whatsapp_bridge_relay_admin_only: true diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/defaults/main.yml new file mode 100644 index 00000000..95ae71ab --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/defaults/main.yml @@ -0,0 +1,156 @@ +--- +# mautrix-wsproxy is a Matrix <-> websocket bridge +# See: https://github.com/mautrix/wsproxy + +matrix_mautrix_wsproxy_enabled: true + +matrix_mautrix_wsproxy_version: latest +# See: https://mau.dev/mautrix/wsproxy/container_registry +matrix_mautrix_wsproxy_docker_image: "dock.mau.dev/mautrix/wsproxy:{{ matrix_mautrix_wsproxy_version }}" +matrix_mautrix_wsproxy_docker_image_force_pull: "{{ matrix_mautrix_wsproxy_docker_image.endswith(':latest') }}" + +matrix_mautrix_wsproxy_base_path: "{{ matrix_base_data_path }}/wsproxy" +matrix_mautrix_wsproxy_config_path: "{{ matrix_mautrix_wsproxy_base_path }}/config" + +matrix_mautrix_wsproxy_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_wsproxy_homeserver_domain: "{{ matrix_domain }}" + +matrix_mautrix_wsproxy_bind_port: false +matrix_mautrix_wsproxy_port: 29331 + +matrix_mautrix_wsproxy_appservice_address: "http://matrix-mautrix-wsproxy:{{ matrix_mautrix_wsproxy_port }}" + +matrix_mautrix_wsproxy_hostname: "" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_mautrix_wsproxy_container_network: matrix-mautrix-wsproxy + +# matrix_mautrix_wsproxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_mautrix_wsproxy_container_labels_additional_labels`. +matrix_mautrix_wsproxy_container_labels_traefik_enabled: true +matrix_mautrix_wsproxy_container_labels_traefik_docker_network: "{{ matrix_mautrix_wsproxy_container_network }}" +matrix_mautrix_wsproxy_container_labels_traefik_hostname: "{{ matrix_mautrix_wsproxy_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/wsproxy`). +matrix_mautrix_wsproxy_container_labels_traefik_rule: "Host(`{{ matrix_mautrix_wsproxy_container_labels_traefik_hostname }}`)" +matrix_mautrix_wsproxy_container_labels_traefik_priority: 0 +matrix_mautrix_wsproxy_container_labels_traefik_entrypoints: web-secure +matrix_mautrix_wsproxy_container_labels_traefik_tls: "{{ matrix_mautrix_wsproxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom` +matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_auto: {} +matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom: {} +matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers: "{{ matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_auto | combine(matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom) }}" + +# matrix_mautrix_wsproxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_mautrix_wsproxy_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_mautrix_wsproxy_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_mautrix_wsproxy_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-wsproxy.service depends on. +matrix_mautrix_wsproxy_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-wsproxy.service wants +matrix_mautrix_wsproxy_systemd_wanted_services_list: [] + +matrix_mautrix_androidsms_appservice_token: '' +matrix_mautrix_androidsms_homeserver_token: '' + +matrix_mautrix_imessage_appservice_token: '' +matrix_mautrix_imessage_homeserver_token: '' + +matrix_mautrix_androidsms_appservice_bot_username: androidsmsbot +matrix_mautrix_imessage_appservice_bot_username: imessagebot + +# Default mautrix-wsproxy configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_wsproxy_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_wsproxy_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_wsproxy_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_wsproxy_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_wsproxy_configuration_yaml`. + +matrix_mautrix_wsproxy_configuration_extension: "{{ matrix_mautrix_wsproxy_configuration_extension_yaml|from_yaml if matrix_mautrix_wsproxy_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_wsproxy_configuration_yaml`. +matrix_mautrix_wsproxy_configuration: "{{ matrix_mautrix_wsproxy_configuration_yaml|from_yaml|combine(matrix_mautrix_wsproxy_configuration_extension, recursive=True) }}" + +matrix_mautrix_androidsms_registration_yaml: | + id: androidsms + url: {{ matrix_mautrix_wsproxy_appservice_address }} + as_token: "{{ matrix_mautrix_androidsms_appservice_token }}" + hs_token: "{{ matrix_mautrix_androidsms_homeserver_token }}" + sender_localpart: _bot_{{ matrix_mautrix_androidsms_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '@androidsms_.+:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_androidsms_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$' + +matrix_mautrix_androidsms_registration: "{{ matrix_mautrix_androidsms_registration_yaml|from_yaml }}" + +matrix_mautrix_imessage_registration_yaml: | + id: imessage + url: {{ matrix_mautrix_wsproxy_appservice_address }} + as_token: "{{ matrix_mautrix_imessage_appservice_token }}" + hs_token: "{{ matrix_mautrix_imessage_homeserver_token }}" + sender_localpart: _bot_{{ matrix_mautrix_imessage_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '@imessage_.+:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_imessage_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$' + +matrix_mautrix_imessage_registration: "{{ matrix_mautrix_imessage_registration_yaml|from_yaml }}" + +# Syncproxy-related configuration fields +# renovate: datasource=docker depName=dock.mau.dev/mautrix/syncproxy +matrix_mautrix_wsproxy_syncproxy_version: latest +# See: https://mau.dev/mautrix/wsproxy/container_registry +matrix_mautrix_wsproxy_syncproxy_docker_image: "dock.mau.dev/mautrix/syncproxy:{{ matrix_mautrix_wsproxy_syncproxy_version }}" +matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image.endswith(':latest') }}" +matrix_mautrix_wsproxy_syncproxy_container_extra_arguments: [] + +matrix_mautrix_wsproxy_syncproxy_systemd_required_services_list: ['docker.service', 'matrix-mautrix-wsproxy.service'] +matrix_mautrix_wsproxy_syncproxy_systemd_wanted_services_list: [] + +matrix_mautrix_wsproxy_syncproxy_shared_secret: '' +matrix_mautrix_wsproxy_syncproxy_port: 29332 +matrix_mautrix_wsproxy_syncproxy_appservice_address: "http://matrix-mautrix-wsproxy-syncproxy:{{ matrix_mautrix_wsproxy_syncproxy_port }}" + +# Database-related configuration fields +# +# This bridge supports Postgres and SQLite. +# +matrix_mautrix_wsproxy_syncproxy_database_engine: 'postgres' + +matrix_mautrix_wsproxy_syncproxy_database_username: 'matrix_mautrix_wsproxy_syncproxy' +matrix_mautrix_wsproxy_syncproxy_database_password: 'some-password' +matrix_mautrix_wsproxy_syncproxy_database_hostname: 'matrix-postgres' +matrix_mautrix_wsproxy_syncproxy_database_port: 5432 +matrix_mautrix_wsproxy_syncproxy_database_name: 'matrix_mautrix_wsproxy_syncproxy' + +matrix_mautrix_signal_wsproxy_syncproxy_connection_string: 'postgres://{{ matrix_mautrix_wsproxy_syncproxy_database_username }}:{{ matrix_mautrix_wsproxy_syncproxy_database_password }}@{{ matrix_mautrix_wsproxy_syncproxy_database_hostname }}:{{ matrix_mautrix_wsproxy_syncproxy_database_port }}/{{ matrix_mautrix_wsproxy_syncproxy_database_name }}' diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 00000000..9e30d707 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,48 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Wsproxy reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-wsproxy role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- tags: + - always + when: matrix_mautrix_wsproxy_enabled|bool + block: + - name: Generate Mautrix Wsproxy proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_wsproxy_matrix_nginx_proxy_configuration: | + location ~ ^/(_matrix/wsproxy/.*) { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-wsproxy:29331"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:29331; + {% endif %} + } + + - name: Register Mautrix Wsproxy proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mautrix_wsproxy_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix wsproxy bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_wsproxy_public_endpoint }}` + URL endpoint to the matrix-mautrix-wsproxy container. + You can expose the container's port using the `matrix_mautrix_wsproxy_container_http_host_bind_port` variable. + when: "matrix_mautrix_wsproxy_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/main.yml new file mode 100644 index 00000000..e41d555a --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_wsproxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-mautrix-wsproxy + - install-all + - install-mautrix-wsproxy + block: + - when: matrix_mautrix_wsproxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_wsproxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-mautrix-wsproxy + block: + - when: not matrix_mautrix_wsproxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml new file mode 100644 index 00000000..725296e6 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml @@ -0,0 +1,133 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + ansible.builtin.fail: + msg: >- + The matrix-bridge-mautrix-wsproxy role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- ansible.builtin.set_fact: + matrix_mautrix_wsproxy_requires_restart: false + +- ansible.builtin.set_fact: + matrix_mautrix_wsproxy_syncproxy_requires_restart: false + +- name: Ensure Mautrix wsproxy paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_mautrix_wsproxy_base_path }}" + when: true + when: item.when | bool + +- name: Ensure Mautrix wsproxy support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_mautrix_wsproxy_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - syncproxy-env + - wsproxy-labels + +- name: Ensure Mautrix wsproxy image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_wsproxy_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_wsproxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_wsproxy_docker_image_force_pull }}" + +- name: Ensure Mautrix syncproxy image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull }}" + +- name: Ensure Mautrix wsproxy paths exists + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_mautrix_wsproxy_base_path }}" + - "{{ matrix_mautrix_wsproxy_config_path }}" + +- name: Check if an old matrix state file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_wsproxy_base_path }}/mx-state.json" + register: matrix_mautrix_wsproxy_stat_mx_state + +- name: Ensure mautrix-wsproxy config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_wsproxy_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_wsproxy_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-androidsms registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_androidsms_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_wsproxy_config_path }}/androidsms-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-imessage registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_imessage_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_wsproxy_config_path }}/imessage-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-wsproxy container network is created + community.general.docker_network: + name: "{{ matrix_mautrix_wsproxy_container_network }}" + driver: bridge + +- name: Ensure matrix-mautrix-wsproxy.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-wsproxy.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service" + mode: 0644 + register: matrix_mautrix_wsproxy_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-wsproxy.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_wsproxy_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-wsproxy.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-wsproxy.service" + state: restarted + when: "matrix_mautrix_wsproxy_requires_restart|bool" + +- name: Ensure matrix-mautrix-wsproxy-syncproxy.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service" + mode: 0644 + register: matrix_mautrix_wsproxy_syncproxy_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-wsproxy-syncproxy.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_wsproxy_syncproxy_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-wsproxy-syncproxy.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-wsproxy-syncproxy.service" + state: restarted + when: "matrix_mautrix_wsproxy_syncproxy_requires_restart|bool" diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_uninstall.yml new file mode 100644 index 00000000..c39fd29f --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_uninstall.yml @@ -0,0 +1,47 @@ +--- + +- name: Check existence of matrix-mautrix-wsproxy service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service" + register: matrix_mautrix_wsproxy_service_stat + +- name: Ensure matrix-mautrix-wsproxy is stopped + ansible.builtin.service: + name: matrix-mautrix-wsproxy + state: stopped + daemon_reload: true + when: "matrix_mautrix_wsproxy_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-wsproxy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service" + state: absent + when: "matrix_mautrix_wsproxy_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-wsproxy.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_wsproxy_service_stat.stat.exists" + +- name: Check existence of matrix-mautrix-wsproxy-syncproxy service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service" + register: matrix_mautrix_wsproxy_syncproxy_service_stat + +- name: Ensure matrix-mautrix-wsproxy-syncproxy is stopped + ansible.builtin.service: + name: matrix-mautrix-wsproxy-syncproxy + state: stopped + daemon_reload: true + when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-wsproxy-syncproxy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service" + state: absent + when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-wsproxy-syncproxy.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists" diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml new file mode 100644 index 00000000..0db36f95 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if required settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_androidsms_appservice_token" + - "matrix_mautrix_androidsms_homeserver_token" + - "matrix_mautrix_imessage_appservice_token" + - "matrix_mautrix_imessage_homeserver_token" + - "matrix_mautrix_wsproxy_syncproxy_shared_secret" diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/config.yaml.j2 new file mode 100644 index 00000000..2c793261 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/config.yaml.j2 @@ -0,0 +1,14 @@ +listen_address: 0.0.0.0:29331 +appservices: + - id: androidsms + as: {{ matrix_mautrix_androidsms_appservice_token | to_json }} + hs: {{ matrix_mautrix_androidsms_homeserver_token | to_json }} + - id: imessage + as: {{ matrix_mautrix_imessage_appservice_token | to_json }} + hs: {{ matrix_mautrix_imessage_homeserver_token | to_json }} +sync_proxy: + # The URL that mautrix-wsproxy can use to reach mautrix-syncproxy + url: {{ matrix_mautrix_wsproxy_syncproxy_appservice_address | to_json }} + # The URL that mautrix-syncproxy can use to reach mautrix-wsproxy + wsproxy_url: {{ matrix_mautrix_wsproxy_appservice_address | to_json }} + shared_secret: {{ matrix_mautrix_wsproxy_syncproxy_shared_secret | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/syncproxy-env.j2 b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/syncproxy-env.j2 new file mode 100644 index 00000000..bc23e54b --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/syncproxy-env.j2 @@ -0,0 +1,3 @@ +DATABASE_URL={{ matrix_mautrix_signal_wsproxy_syncproxy_connection_string }} +HOMESERVER_URL={{ matrix_homeserver_container_url }} +SHARED_SECRET={{ matrix_mautrix_wsproxy_syncproxy_shared_secret }} \ No newline at end of file diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2 b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2 new file mode 100644 index 00000000..4531e12e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix wsproxy syncproxy +{% for service in matrix_mautrix_wsproxy_syncproxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_wsproxy_syncproxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy-syncproxy 2>/dev/null' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy-syncproxy 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-wsproxy-syncproxy \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_mautrix_wsproxy_base_path }}/syncproxy-env \ + {% for arg in matrix_mautrix_wsproxy_syncproxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_wsproxy_syncproxy_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy-syncproxy 2>/dev/null' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy-syncproxy 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-wsproxy-syncproxy + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy.service.j2 b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy.service.j2 new file mode 100644 index 00000000..0965efa3 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix wsproxy bridge +{% for service in matrix_mautrix_wsproxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_wsproxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy 2>/dev/null' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name matrix-mautrix-wsproxy \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_wsproxy_bind_port %} + -p {{ matrix_mautrix_wsproxy_port }}:29331 \ + {% endif %} + --mount type=bind,src={{ matrix_mautrix_wsproxy_config_path }},dst=/data \ + --label-file={{ matrix_mautrix_wsproxy_base_path }}/wsproxy-labels \ + {% for arg in matrix_mautrix_wsproxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_wsproxy_docker_image }} \ + /usr/bin/mautrix-wsproxy -config /data/config.yaml + +{% for network in matrix_mautrix_wsproxy_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-wsproxy +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-wsproxy + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy 2>/dev/null' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-wsproxy + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/wsproxy-labels.j2 b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/wsproxy-labels.j2 new file mode 100644 index 00000000..f16a631e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/wsproxy-labels.j2 @@ -0,0 +1,34 @@ +{% if matrix_mautrix_wsproxy_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_mautrix_wsproxy_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_mautrix_wsproxy_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-mautrix-wsproxy-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-mautrix-wsproxy-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-mautrix-wsproxy.rule={{ matrix_mautrix_wsproxy_container_labels_traefik_rule }} +{% if matrix_mautrix_wsproxy_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-mautrix-wsproxy.priority={{ matrix_mautrix_wsproxy_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-mautrix-wsproxy.service=matrix-mautrix-wsproxy +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-mautrix-wsproxy.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-mautrix-wsproxy.entrypoints={{ matrix_mautrix_wsproxy_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-mautrix-wsproxy.tls={{ matrix_mautrix_wsproxy_container_labels_traefik_tls | to_json }} +{% if matrix_mautrix_wsproxy_container_labels_traefik_tls %} +traefik.http.routers.matrix-mautrix-wsproxy.tls.certResolver={{ matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-mautrix-wsproxy.loadbalancer.server.port={{ matrix_mautrix_wsproxy_port }} +{% endif %} + +{{ matrix_mautrix_wsproxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml index 246c1640..dff74f6c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -14,6 +14,7 @@ matrix_mx_puppet_discord_container_image_self_build_dockerfile_path: "Dockerfile # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_discord_container_http_host_bind_port: '' +# renovate: datasource=docker depName=registry.gitlab.com/mx-puppet/discord/mx-puppet-discord matrix_mx_puppet_discord_version: v0.1.1 matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}mx-puppet/discord/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'registry.gitlab.com/' }}" @@ -70,8 +71,9 @@ matrix_mx_puppet_discord_database_password: ~ matrix_mx_puppet_discord_database_hostname: '' matrix_mx_puppet_discord_database_port: 5432 matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord +matrix_mx_puppet_discord_database_sslmode: disable -matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable' +matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode={{ matrix_mx_puppet_discord_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml index ca9d7668..c176c6eb 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -65,8 +65,9 @@ matrix_mx_puppet_groupme_database_password: ~ matrix_mx_puppet_groupme_database_hostname: '' matrix_mx_puppet_groupme_database_port: 5432 matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme +matrix_mx_puppet_groupme_database_sslmode: disable -matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode=disable' +matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode={{ matrix_mx_puppet_groupme_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 0f6dd443..1c73e46c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -8,6 +8,7 @@ matrix_mx_puppet_instagram_container_image_self_build: false matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git" matrix_mx_puppet_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mx_puppet_instagram_version == 'latest' else matrix_mx_puppet_instagram_version }}" +# renovate: datasource=docker depName=sorunome/mx-puppet-instagram matrix_mx_puppet_instagram_version: latest matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -59,8 +60,9 @@ matrix_mx_puppet_instagram_database_password: ~ matrix_mx_puppet_instagram_database_hostname: '' matrix_mx_puppet_instagram_database_port: 5432 matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram +matrix_mx_puppet_instagram_database_sslmode: disable -matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable' +matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode={{ matrix_mx_puppet_instagram_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml index b428c40b..40456b5e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -17,6 +17,7 @@ matrix_mx_puppet_slack_container_image_self_build_dockerfile_path: "Dockerfile" # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_slack_container_http_host_bind_port: '' +# renovate: datasource=docker depName=registry.gitlab.com/mx-puppet/slack/mx-puppet-slack matrix_mx_puppet_slack_version: v0.1.2 matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}mx-puppet/slack/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'registry.gitlab.com/' }}" @@ -73,8 +74,9 @@ matrix_mx_puppet_slack_database_password: ~ matrix_mx_puppet_slack_database_hostname: '' matrix_mx_puppet_slack_database_port: 5432 matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack +matrix_mx_puppet_slack_database_sslmode: disable -matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable' +matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode={{ matrix_mx_puppet_slack_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml index 9efedb13..9503335a 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -13,6 +13,7 @@ matrix_mx_puppet_steam_container_image_self_build_repo_version: "{{ 'master' if # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_steam_container_http_host_bind_port: '' +# renovate: datasource=docker depName=icewind1991/mx-puppet-steam matrix_mx_puppet_steam_version: latest matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -65,8 +66,9 @@ matrix_mx_puppet_steam_database_password: ~ matrix_mx_puppet_steam_database_hostname: '' matrix_mx_puppet_steam_database_port: 5432 matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam +matrix_mx_puppet_steam_database_sslmode: disable -matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable' +matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode={{ matrix_mx_puppet_steam_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 8e5e82f0..b229b683 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -13,6 +13,7 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_twitter_container_http_host_bind_port: '' +# renovate: datasource=docker depName=sorunome/mx-puppet-twitter matrix_mx_puppet_twitter_version: latest matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -74,8 +75,9 @@ matrix_mx_puppet_twitter_database_password: ~ matrix_mx_puppet_twitter_database_hostname: '' matrix_mx_puppet_twitter_database_port: 5432 matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter +matrix_mx_puppet_twitter_database_sslmode: disable -matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable' +matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode={{ matrix_mx_puppet_twitter_database_sslmode }}' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-sms/defaults/main.yml b/roles/custom/matrix-bridge-sms/defaults/main.yml index b4755d71..376a4650 100644 --- a/roles/custom/matrix-bridge-sms/defaults/main.yml +++ b/roles/custom/matrix-bridge-sms/defaults/main.yml @@ -4,7 +4,8 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_version: 0.5.7 +# renovate: datasource=docker depName=folivonet/matrix-sms-bridge +matrix_sms_bridge_version: 0.5.8 matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" diff --git a/roles/custom/matrix-cactus-comments/defaults/main.yml b/roles/custom/matrix-cactus-comments/defaults/main.yml index 80f8c15e..d2515222 100644 --- a/roles/custom/matrix-cactus-comments/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments/defaults/main.yml @@ -27,6 +27,7 @@ matrix_cactus_comments_tmp_directory_size_mb: 1 matrix_cactus_comments_container_port: 5000 +# renovate: datasource=docker depName=cactuscomments/cactus-appservice matrix_cactus_comments_version: 0.9.0 matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 6b771fdc..5ab1bd38 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,8 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.6 +# renovate: datasource=docker depName=ajbura/cinny +matrix_client_cinny_version: v3.2.0 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 368639cb..c9726cc9 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,9 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.35 +# renovate: datasource=docker depName=vectorim/element-web +matrix_client_element_version: v1.11.50 + matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" @@ -149,17 +151,17 @@ matrix_client_element_integrations_ui_url: "https://scalar.vector.im/" matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api" matrix_client_element_integrations_widgets_urls: ["https://scalar.vector.im/api"] matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" -matrix_client_element_permalinkPrefix: "https://matrix.to" # noqa var-naming +matrix_client_element_permalink_prefix: "https://matrix.to" # noqa var-naming matrix_client_element_bug_report_endpoint_url: "https://element.io/bugreports/submit" -matrix_client_element_showLabsSettings: true # noqa var-naming +matrix_client_element_show_lab_settings: true # noqa var-naming # Element public room directory server(s) -matrix_client_element_roomdir_servers: ['matrix.org'] +matrix_client_element_room_directory_servers: ['matrix.org'] matrix_client_element_welcome_user_id: ~ # Branding of Element matrix_client_element_brand: "Element" # URL to Logo on welcome page -matrix_client_element_welcome_logo: "welcome/images/logo.svg" +matrix_client_element_welcome_logo: "themes/element/img/logos/element-logo.svg" # URL of link on welcome image matrix_client_element_welcome_logo_link: "https://element.io" @@ -169,13 +171,13 @@ matrix_client_element_welcome_text: "_t('Decentralised, encrypted chat & col # Links, shown in footer of welcome page: # [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] -matrix_client_element_branding_authFooterLinks: ~ # noqa var-naming +matrix_client_element_branding_auth_footer_links: ~ # noqa var-naming # URL to image, shown during Login -matrix_client_element_branding_authHeaderLogoUrl: "{{ matrix_client_element_welcome_logo }}" # noqa var-naming +matrix_client_element_branding_auth_header_logo_url: "{{ matrix_client_element_welcome_logo }}" # noqa var-naming # URL to Wallpaper, shown in background of welcome page -matrix_client_element_branding_welcomeBackgroundUrl: ~ # noqa var-naming +matrix_client_element_branding_welcome_background_url: ~ # noqa var-naming matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2" @@ -183,7 +185,7 @@ matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/wel # point this to a `home.html` template file on your local filesystem. matrix_client_element_embedded_pages_home_path: ~ -matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming +matrix_client_element_jitsi_preferred_domain: '' # noqa var-naming # Controls whether the self-check feature should validate SSL certificates. matrix_client_element_self_check_validate_certificates: true @@ -207,14 +209,14 @@ matrix_client_element_themes_repository_version: master # Controls the default theme matrix_client_element_default_theme: 'light' -# Controls the `settingsDefault.custom_themes` setting of the Element configuration. +# Controls the `setting_defaults.custom_themes` setting of the Element configuration. # You can use this setting to define custom themes. # # Also, look at `matrix_client_element_themes_enabled` for a way to pull in a bunch of custom themes automatically. # If you define your own themes here and set `matrix_client_element_themes_enabled: true`, your themes will be preserved as well. # # Note that for a custom theme to work well, all Element instances that you use must have the same theme installed. -matrix_client_element_settingDefaults_custom_themes: [] # noqa var-naming +matrix_client_element_setting_defaults_custom_themes: [] # noqa var-naming # Default Element configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-client-element/tasks/prepare_themes.yml b/roles/custom/matrix-client-element/tasks/prepare_themes.yml index 70646c94..194335b2 100644 --- a/roles/custom/matrix-client-element/tasks/prepare_themes.yml +++ b/roles/custom/matrix-client-element/tasks/prepare_themes.yml @@ -30,7 +30,7 @@ - name: Load Element theme ansible.builtin.set_fact: - matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming + matrix_client_element_setting_defaults_custom_themes: "{{ matrix_client_element_setting_defaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming with_items: "{{ matrix_client_element_theme_file_contents.results }}" # diff --git a/roles/custom/matrix-client-element/tasks/validate_config.yml b/roles/custom/matrix-client-element/tasks/validate_config.yml index fdf42df7..dc6c9f5a 100644 --- a/roles/custom/matrix-client-element/tasks/validate_config.yml +++ b/roles/custom/matrix-client-element/tasks/validate_config.yml @@ -27,6 +27,22 @@ with_items: - {'old': 'matrix_riot_web_.*', 'new': 'matrix_client_element_.*'} +- name: (Deprecation) Catch and report renamed element-web settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_client_element_showLabsSettings', 'new': 'matrix_client_element_show_lab_settings'} + - {'old': 'matrix_client_element_permalinkPrefix', 'new': 'matrix_client_element_permalink_prefix'} + - {'old': 'matrix_client_element_roomdir_servers', 'new': 'matrix_client_element_room_directory_servers'} + - {'old': 'matrix_client_element_settingDefaults_custom_themes', 'new': 'matrix_client_element_setting_defaults_custom_themes'} + - {'old': 'matrix_client_element_branding_authFooterLinks', 'new': 'matrix_client_element_branding_auth_footer_links'} + - {'old': 'matrix_client_element_branding_authHeaderLogoUrl', 'new': 'matrix_client_element_branding_auth_header_logo_url'} + - {'old': 'matrix_client_element_branding_welcomeBackgroundUrl', 'new': 'matrix_client_element_branding_welcome_background_url'} + - {'old': 'matrix_client_element_jitsi_preferredDomain', 'new': 'matrix_client_element_jitsi_preferred_domain'} + - when: matrix_client_element_container_labels_traefik_enabled | bool block: - name: Fail if required matrix-client-element Traefik settings not defined diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index 6f2498fd..180a8f81 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -8,12 +8,12 @@ "base_url": {{ matrix_client_element_default_is_url | string | to_json }} } }, - "settingDefaults": { - "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes | to_json }} + "setting_defaults": { + "custom_themes": {{ matrix_client_element_setting_defaults_custom_themes | to_json }} }, "default_theme": {{ matrix_client_element_default_theme | string | to_json }}, "default_country_code": {{ matrix_client_element_default_country_code | string | to_json }}, - "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string | to_json }}, + "permalink_prefix": {{ matrix_client_element_permalink_prefix | string | to_json }}, "disable_custom_urls": {{ matrix_client_element_disable_custom_urls | to_json }}, "disable_guests": {{ matrix_client_element_disable_guests | to_json }}, "brand": {{ matrix_client_element_brand | to_json }}, @@ -22,28 +22,28 @@ "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls | to_json }}, "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string | to_json }}, "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url | to_json }}, - "showLabsSettings": {{ matrix_client_element_showLabsSettings | to_json }}, - "roomDirectory": { - "servers": {{ matrix_client_element_roomdir_servers | to_json }} + "show_labs_settings": {{ matrix_client_element_show_lab_settings | to_json }}, + "room_directory": { + "servers": {{ matrix_client_element_room_directory_servers | to_json }} }, - "welcomeUserId": {{ matrix_client_element_welcome_user_id | to_json }}, + "welcome_user_id": {{ matrix_client_element_welcome_user_id | to_json }}, {% if matrix_client_element_enable_presence_by_hs_url is not none %} "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url | to_json }}, {% endif %} - "embeddedPages": { + "embedded_pages": { "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string | to_json }} }, - {% if matrix_client_element_jitsi_preferredDomain %} + {% if matrix_client_element_jitsi_preferred_domain %} "jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferred_domain | to_json }} }, {% endif %} {% if matrix_client_element_location_sharing_enabled %} "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json", {% endif %} "branding": { - "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks | to_json }}, - "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl | to_json }}, - "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl | to_json }} + "auth_footer_links": {{ matrix_client_element_branding_auth_footer_links | to_json }}, + "auth_header_logo_url": {{ matrix_client_element_branding_auth_header_logo_url | to_json }}, + "welcome_background_url": {{ matrix_client_element_branding_welcome_background_url | to_json }} } } diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index de16c8b6..04b335e3 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,8 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.4.0 +# renovate: datasource=docker depName=ghcr.io/vector-im/hydrogen-web +matrix_client_hydrogen_version: v0.4.1 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 0e114804..5ca6cb73 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -12,6 +12,39 @@ - {path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}"} when: "item.when | bool" +- when: "matrix_client_hydrogen_container_image_self_build | bool" + block: + - name: Ensure Hydrogen repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_client_hydrogen_git_pull_results + + - name: Check if Hydrogen Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_client_hydrogen_docker_image }}'" + register: matrix_client_hydrogen_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure Hydrogen Docker image is built + ansible.builtin.shell: + chdir: "{{ matrix_client_hydrogen_docker_src_files_path }}" + cmd: | + {{ devture_systemd_docker_base_host_command_docker }} build \ + -t "{{ matrix_client_hydrogen_docker_image }}" \ + -f Dockerfile \ + . + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_client_hydrogen_git_pull_results.changed | bool or matrix_client_hydrogen_docker_image_check_result.stdout == ''" + - name: Ensure Hydrogen Docker image is pulled community.docker.docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" @@ -24,17 +57,6 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Ensure Hydrogen repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" - version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_client_hydrogen_git_pull_results - when: "matrix_client_hydrogen_container_image_self_build | bool" - - name: Ensure Hydrogen configuration installed ansible.builtin.copy: content: "{{ matrix_client_hydrogen_configuration | to_nice_json }}" @@ -54,17 +76,6 @@ - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} -- name: Ensure Hydrogen Docker image is built - community.docker.docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - source: build - force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_client_hydrogen_docker_src_files_path }}" - pull: true - when: "matrix_client_hydrogen_container_image_self_build | bool" - - name: Ensure Hydrogen container network is created community.general.docker_network: name: "{{ matrix_client_hydrogen_container_network }}" diff --git a/roles/custom/matrix-client-schildichat/defaults/main.yml b/roles/custom/matrix-client-schildichat/defaults/main.yml new file mode 100644 index 00000000..73d6227d --- /dev/null +++ b/roles/custom/matrix-client-schildichat/defaults/main.yml @@ -0,0 +1,313 @@ +--- +# Project source code URL: https://github.com/SchildiChat/schildichat-desktop + +matrix_client_schildichat_enabled: true + +matrix_client_schildichat_container_image_self_build: false + +# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/schildichat-web +matrix_client_schildichat_version: v1.11.30-sc.2 +matrix_client_schildichat_docker_image: "{{ matrix_client_schildichat_docker_image_name_prefix }}etke.cc/schildichat-web:{{ matrix_client_schildichat_version }}" +matrix_client_schildichat_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_schildichat_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_client_schildichat_docker_image_force_pull: "{{ matrix_client_schildichat_docker_image.endswith(':latest') }}" + +matrix_client_schildichat_data_path: "{{ matrix_base_data_path }}/client-schildichat" +matrix_client_schildichat_docker_src_files_path: "{{ matrix_client_schildichat_data_path }}/docker-src" + +# The base container network +matrix_client_schildichat_container_network: matrix-client-schildichat + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_schildichat_container_additional_networks: [] + +# Controls whether the matrix-client-schildichat container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8765"), or empty string to not expose. +matrix_client_schildichat_container_http_host_bind_port: '' + +# matrix_client_schildichat_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_schildichat_container_labels_additional_labels`. +matrix_client_schildichat_container_labels_traefik_enabled: true +matrix_client_schildichat_container_labels_traefik_docker_network: "{{ matrix_client_schildichat_container_network }}" +matrix_client_schildichat_container_labels_traefik_hostname: "{{ matrix_client_schildichat_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/schildichat`). +matrix_client_schildichat_container_labels_traefik_path_prefix: "{{ matrix_client_schildichat_path_prefix }}" +matrix_client_schildichat_container_labels_traefik_rule: "Host(`{{ matrix_client_schildichat_container_labels_traefik_hostname }}`){% if matrix_client_schildichat_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_schildichat_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_schildichat_container_labels_traefik_priority: 0 +matrix_client_schildichat_container_labels_traefik_entrypoints: web-secure +matrix_client_schildichat_container_labels_traefik_tls: "{{ matrix_client_schildichat_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_schildichat_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_schildichat_container_labels_traefik_additional_response_headers_custom` +matrix_client_schildichat_container_labels_traefik_additional_response_headers: "{{ matrix_client_schildichat_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_schildichat_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_schildichat_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_schildichat_http_header_xss_protection} if matrix_client_schildichat_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_schildichat_http_header_frame_options} if matrix_client_schildichat_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_schildichat_http_header_content_type_options} if matrix_client_schildichat_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_schildichat_http_header_content_security_policy} if matrix_client_schildichat_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_schildichat_http_header_content_permission_policy} if matrix_client_schildichat_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_schildichat_http_header_strict_transport_security} if matrix_client_schildichat_http_header_strict_transport_security and matrix_client_schildichat_container_labels_traefik_tls else {}) + }} +matrix_client_schildichat_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_schildichat_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_schildichat_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_schildichat_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_client_schildichat_container_extra_arguments: [] + +# List of systemd services that matrix-client-schildichat.service depends on +matrix_client_schildichat_systemd_required_services_list: ['docker.service'] + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_schildichat_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_schildichat_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_schildichat_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_schildichat_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_schildichat_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_schildichat_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_schildichat_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_schildichat_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_schildichat_content_permission_policy` +matrix_client_schildichat_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_schildichat_http_header_strict_transport_security` +matrix_client_schildichat_hsts_preload_enabled: false + +# The hostname at which schildichat is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_schildichat` is used and this variable has no effect. +matrix_client_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}" + +# The path at which schildichat is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_schildichat_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/schildichat`). +matrix_client_schildichat_path_prefix: / + +# schildichat config.json customizations +matrix_client_schildichat_default_server_name: "{{ matrix_domain }}" +matrix_client_schildichat_default_hs_url: "" +matrix_client_schildichat_default_is_url: ~ +matrix_client_schildichat_disable_custom_urls: true +matrix_client_schildichat_disable_guests: true +matrix_client_schildichat_integrations_ui_url: "https://scalar.vector.im/" +matrix_client_schildichat_integrations_rest_url: "https://scalar.vector.im/api" +matrix_client_schildichat_integrations_widgets_urls: ["https://scalar.vector.im/api"] +matrix_client_schildichat_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +matrix_client_schildichat_permalink_prefix: "https://matrix.to" # noqa var-naming +matrix_client_schildichat_bug_report_endpoint_url: "https://element.io/bugreports/submit" +matrix_client_schildichat_show_lab_settings: true # noqa var-naming +# schildichat public room directory server(s) +matrix_client_schildichat_room_directory_servers: ['matrix.org'] +matrix_client_schildichat_welcome_user_id: ~ +# Branding of schildichat +matrix_client_schildichat_brand: "schildichat" + +# URL to Logo on welcome page +matrix_client_schildichat_welcome_logo: "themes/element/img/logos/element-logo.svg" + +# URL of link on welcome image +matrix_client_schildichat_welcome_logo_link: "https://schildi.chat" + +matrix_client_schildichat_welcome_headline: "_t('Welcome to SchildiChat')" +matrix_client_schildichat_welcome_text: "_t('Decentralised, encrypted chat & collaboration powered by [matrix]')" + +# Links, shown in footer of welcome page: +# [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] +matrix_client_schildichat_branding_auth_footer_links: ~ # noqa var-naming + +# URL to image, shown during Login +matrix_client_schildichat_branding_auth_header_logo_url: "{{ matrix_client_schildichat_welcome_logo }}" # noqa var-naming + +# URL to Wallpaper, shown in background of welcome page +matrix_client_schildichat_branding_welcome_background_url: ~ # noqa var-naming + +matrix_client_schildichat_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2" + +# By default, there's no schildichat homepage (when logged in). If you wish to have one, +# point this to a `home.html` template file on your local filesystem. +matrix_client_schildichat_embedded_pages_home_path: ~ + +matrix_client_schildichat_jitsi_preferred_domain: '' # noqa var-naming + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_schildichat_self_check_validate_certificates: true + +# don't show the registration button on welcome page +matrix_client_schildichat_registration_enabled: false + +# Default country code on welcome page when login by phone number +matrix_client_schildichat_default_country_code: "GB" + +# Controls whether presence will be enabled +matrix_client_schildichat_enable_presence_by_hs_url: ~ + +# Controls whether custom schildichat themes will be installed. +# When enabled, all themes found in the `matrix_client_schildichat_themes_repository_url` repository +# will be installed and enabled automatically. +matrix_client_schildichat_themes_enabled: false +matrix_client_schildichat_themes_repository_url: https://github.com/aaronraimist/element-themes +matrix_client_schildichat_themes_repository_version: master + +# Controls the default theme +matrix_client_schildichat_default_theme: 'light' + +# Controls the `setting_defaults.custom_themes` setting of the schildichat configuration. +# You can use this setting to define custom themes. +# +# Also, look at `matrix_client_schildichat_themes_enabled` for a way to pull in a bunch of custom themes automatically. +# If you define your own themes here and set `matrix_client_schildichat_themes_enabled: true`, your themes will be preserved as well. +# +# Note that for a custom theme to work well, all schildichat instances that you use must have the same theme installed. +matrix_client_schildichat_setting_defaults_custom_themes: [] # noqa var-naming + +# Default schildichat configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_schildichat_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_schildichat_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for schildichat should go to `matrix_client_schildichat_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_schildichat_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_schildichat_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_schildichat_configuration_extension_json: | +# { +# "disable_3pid_login": true, +# "disable_login_language_selector": true +# } +matrix_client_schildichat_configuration_extension_json: '{}' + +matrix_client_schildichat_configuration_extension: "{{ matrix_client_schildichat_configuration_extension_json | from_json if matrix_client_schildichat_configuration_extension_json | from_json is mapping else {} }}" + +# Holds the final schildichat configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_schildichat_configuration_default`. +matrix_client_schildichat_configuration: "{{ matrix_client_schildichat_configuration_default | combine(matrix_client_schildichat_configuration_extension, recursive=True) }}" + +# schildichat Location sharing functionality +# More info: https://element.io/blog/element-launches-e2ee-location-sharing/ +# How to host your own map tile server: https://matrix.org/docs/guides/map-tile-server +matrix_client_schildichat_location_sharing_enabled: false + +# Default schildichat location sharing map style configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_schildichat_location_sharing_map_style_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_schildichat_location_sharing_map_style_default: "{{ lookup('template', 'templates/map_style.json.j2') }}" + +# Your custom JSON configuration for schildichat location sharing map style should go to `matrix_client_schildichat_location_sharing_map_style_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_schildichat_location_sharing_map_style_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_schildichat_location_sharing_map_style_default`. +# +# Example configuration override follows: +# +# matrix_client_schildichat_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "localsource": { +# "tileSize": 512 +# } +# } +# } +# +# Example configuration extension follows: +# +# matrix_client_schildichat_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "anothersource": { +# "attribution": "", +# "tileSize": 256, +# "tiles": ["https://anothertile.example.com/{z}/{x}/{y}.png"], +# "type": "raster" +# } +# } +# } +matrix_client_schildichat_location_sharing_map_style_extension_json: '{}' + +matrix_client_schildichat_location_sharing_map_style_extension: "{{ matrix_client_schildichat_location_sharing_map_style_extension_json | from_json if matrix_client_schildichat_location_sharing_map_style_extension_json | from_json is mapping else {} }}" + +# Holds the final schildichat location sharing map style configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_schildichat_location_sharing_map_style_default`. +matrix_client_schildichat_location_sharing_map_style: "{{ matrix_client_schildichat_location_sharing_map_style_default | combine(matrix_client_schildichat_location_sharing_map_style_extension, recursive=True) }}" + +# Example tile servers configuration +# matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles: ["https://tile.example.com/{z}/{x}/{y}.png"] +# or +# matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles: ["https://s1.example.com/{z}/{x}/{y}.png", "https://s2.example.com/{z}/{x}/{y}.png", "https://s3.example.com/{z}/{x}/{y}.png"] +matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles: [] + +# Map attribution (optional): +# Attribution for OpenStreetMap would be like this: +# matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_attribution: "© OpenStreetMap contributors" +# Leave blank, if map does not require attribution. +matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_attribution: "" diff --git a/roles/custom/matrix-client-schildichat/tasks/main.yml b/roles/custom/matrix-client-schildichat/tasks/main.yml new file mode 100644 index 00000000..240dee1c --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-client-schildichat + - install-all + - install-client-schildichat + block: + - when: matrix_client_schildichat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_client_schildichat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prepare_themes.yml" + + - when: matrix_client_schildichat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-client-schildichat + block: + - when: not matrix_client_schildichat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + +- tags: + - self-check + block: + - when: matrix_client_schildichat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" diff --git a/roles/custom/matrix-client-schildichat/tasks/prepare_themes.yml b/roles/custom/matrix-client-schildichat/tasks/prepare_themes.yml new file mode 100644 index 00000000..9e29ef90 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/prepare_themes.yml @@ -0,0 +1,47 @@ +--- + +# +# Tasks related to setting up schildichat themes +# + +- when: matrix_client_schildichat_themes_enabled | bool + run_once: true + delegate_to: 127.0.0.1 + become: false + block: + - name: Ensure schildichat themes repository is pulled + ansible.builtin.git: + repo: "{{ matrix_client_schildichat_themes_repository_url }}" + version: "{{ matrix_client_schildichat_themes_repository_version }}" + dest: "{{ role_path }}/files/scratchpad/themes" + + - name: Find all schildichat theme files + ansible.builtin.find: + paths: "{{ role_path }}/files/scratchpad/themes" + patterns: "*.json" + recurse: true + register: matrix_client_schildichat_theme_file_list + + - name: Read schildichat theme + ansible.builtin.slurp: + path: "{{ item.path }}" + register: "matrix_client_schildichat_theme_file_contents" + with_items: "{{ matrix_client_schildichat_theme_file_list.files }}" + + - name: Load schildichat theme + ansible.builtin.set_fact: + matrix_client_schildichat_setting_defaults_custom_themes: "{{ matrix_client_schildichat_setting_defaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming + with_items: "{{ matrix_client_schildichat_theme_file_contents.results }}" + +# +# Tasks related to getting rid of schildichat themes (if it was previously enabled) +# + +- name: Ensure schildichat themes repository is removed + ansible.builtin.file: + path: "{{ role_path }}/files/scratchpad/themes" + state: absent + run_once: true + delegate_to: 127.0.0.1 + become: false + when: "not matrix_client_schildichat_themes_enabled | bool" diff --git a/roles/custom/matrix-client-schildichat/tasks/self_check.yml b/roles/custom/matrix-client-schildichat/tasks/self_check.yml new file mode 100644 index 00000000..2963e2ba --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/self_check.yml @@ -0,0 +1,24 @@ +--- + +- ansible.builtin.set_fact: + matrix_client_schildichat_url_endpoint_public: "https://{{ matrix_server_fqn_schildichat }}/config.json" + +- name: Check schildichat + ansible.builtin.uri: + url: "{{ matrix_client_schildichat_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_schildichat_self_check_validate_certificates }}" + register: matrix_client_schildichat_self_check_result + check_mode: false + ignore_errors: true + delegate_to: 127.0.0.1 + become: false + +- name: Fail if schildichat not working + ansible.builtin.fail: + msg: "Failed checking schildichat is up at `{{ matrix_server_fqn_schildichat }}` (checked endpoint: `{{ matrix_client_schildichat_url_endpoint_public }}`). Is schildichat running? Is port 443 open in your firewall? Full error: {{ matrix_client_schildichat_self_check_result }}" + when: "matrix_client_schildichat_self_check_result.failed or 'json' not in matrix_client_schildichat_self_check_result" + +- name: Report working schildichat + ansible.builtin.debug: + msg: "schildichat at `{{ matrix_server_fqn_schildichat }}` is working (checked endpoint: `{{ matrix_client_schildichat_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-client-schildichat/tasks/setup_install.yml b/roles/custom/matrix-client-schildichat/tasks/setup_install.yml new file mode 100644 index 00000000..c2c7b748 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/setup_install.yml @@ -0,0 +1,109 @@ +--- + +- name: Ensure schildichat paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_client_schildichat_data_path }}", when: true} + - {path: "{{ matrix_client_schildichat_docker_src_files_path }}", when: "{{ matrix_client_schildichat_container_image_self_build }}"} + when: "item.when | bool" + +- name: Ensure schildichat Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_client_schildichat_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_schildichat_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_schildichat_docker_image_force_pull }}" + when: "not matrix_client_schildichat_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure schildichat repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_client_schildichat_container_image_self_build_repo }}" + dest: "{{ matrix_client_schildichat_docker_src_files_path }}" + version: "{{ matrix_client_schildichat_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_client_schildichat_git_pull_results + when: "matrix_client_schildichat_container_image_self_build | bool" + +# See: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 +# - https://github.com/vector-im/schildichat-web/issues/19544 +- name: Patch webpack.config.js to support building on low-memory (<4G RAM) devices + ansible.builtin.lineinfile: + path: "{{ matrix_client_schildichat_docker_src_files_path }}/webpack.config.js" + regexp: '(\s+)splitChunks: \{' + line: '\1splitChunks: { maxSize: 100000,' + backrefs: true + owner: root + group: root + mode: '0644' + when: "matrix_client_schildichat_container_image_self_build | bool and matrix_client_schildichat_container_image_self_build_low_memory_system_patch_enabled | bool" + +- name: Ensure schildichat Docker image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_client_schildichat_docker_image }} + --file={{ matrix_client_schildichat_docker_src_files_path }}/Dockerfile + {{ matrix_client_schildichat_docker_src_files_path }} + changed_when: true + when: matrix_client_schildichat_container_image_self_build | bool + +- name: Ensure schildichat configuration installed + ansible.builtin.copy: + content: "{{ matrix_client_schildichat_configuration | to_nice_json }}" + dest: "{{ matrix_client_schildichat_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure schildichat location sharing map style installed + when: matrix_client_schildichat_location_sharing_enabled | bool + ansible.builtin.copy: + content: "{{ matrix_client_schildichat_location_sharing_map_style | to_nice_json }}" + dest: "{{ matrix_client_schildichat_data_path }}/map_style.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure schildichat config files installed + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ matrix_client_schildichat_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} + - {src: "{{ matrix_client_schildichat_page_template_welcome_path }}", name: "welcome.html"} + - {src: "{{ matrix_client_schildichat_embedded_pages_home_path }}", name: "home.html"} + when: "item.src is not none" + +- name: Ensure schildichat config files removed + ansible.builtin.file: + path: "{{ matrix_client_schildichat_data_path }}/{{ item.name }}" + state: absent + with_items: + - {src: "{{ matrix_client_schildichat_embedded_pages_home_path }}", name: "home.html"} + when: "item.src is none" + +- name: Ensure schildichat container network is created + community.general.docker_network: + name: "{{ matrix_client_schildichat_container_network }}" + driver: bridge + +- name: Ensure matrix-client-schildichat.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-client-schildichat.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-schildichat.service" + mode: 0644 diff --git a/roles/custom/matrix-client-schildichat/tasks/setup_uninstall.yml b/roles/custom/matrix-client-schildichat/tasks/setup_uninstall.yml new file mode 100644 index 00000000..f752ba30 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-client-schildichat.service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-schildichat.service" + register: matrix_client_schildichat_service_stat + +- when: matrix_client_schildichat_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-schildichat is stopped + ansible.builtin.service: + name: matrix-client-schildichat + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-client-schildichat.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-schildichat.service" + state: absent + + - name: Ensure schildichat path doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_schildichat_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-schildichat/tasks/validate_config.yml b/roles/custom/matrix-client-schildichat/tasks/validate_config.yml new file mode 100644 index 00000000..f0162645 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/tasks/validate_config.yml @@ -0,0 +1,37 @@ +--- + +- name: Fail if required schildichat settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using schildichat. + when: "vars[item] == ''" + with_items: + - "matrix_client_schildichat_default_hs_url" + +- name: Fail if schildichat location sharing enabled, but no tile server defined + ansible.builtin.fail: + msg: >- + You need to define at least one map tile server in matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles list + when: + - matrix_client_schildichat_location_sharing_enabled | bool + - matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles | length == 0 + +- when: matrix_client_schildichat_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-schildichat Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_schildichat_container_labels_traefik_hostname + - matrix_client_schildichat_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_schildichat_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_schildichat_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_schildichat_container_labels_traefik_path_prefix (`{{ matrix_client_schildichat_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/schildichat`). + when: "matrix_client_schildichat_container_labels_traefik_path_prefix != '/' and matrix_client_schildichat_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-schildichat/templates/config.json.j2 b/roles/custom/matrix-client-schildichat/templates/config.json.j2 new file mode 100644 index 00000000..fcf60f5d --- /dev/null +++ b/roles/custom/matrix-client-schildichat/templates/config.json.j2 @@ -0,0 +1,49 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": {{ matrix_client_schildichat_default_hs_url | string | to_json }}, + "server_name": {{ matrix_client_schildichat_default_server_name | string | to_json }} + }, + "m.identity_server": { + "base_url": {{ matrix_client_schildichat_default_is_url | string | to_json }} + } + }, + "setting_defaults": { + "custom_themes": {{ matrix_client_schildichat_setting_defaults_custom_themes | to_json }} + }, + "default_theme": {{ matrix_client_schildichat_default_theme | string | to_json }}, + "default_country_code": {{ matrix_client_schildichat_default_country_code | string | to_json }}, + "permalink_prefix": {{ matrix_client_schildichat_permalink_prefix | string | to_json }}, + "disable_custom_urls": {{ matrix_client_schildichat_disable_custom_urls | to_json }}, + "disable_guests": {{ matrix_client_schildichat_disable_guests | to_json }}, + "brand": {{ matrix_client_schildichat_brand | to_json }}, + "integrations_ui_url": {{ matrix_client_schildichat_integrations_ui_url | string | to_json }}, + "integrations_rest_url": {{ matrix_client_schildichat_integrations_rest_url | string | to_json }}, + "integrations_widgets_urls": {{ matrix_client_schildichat_integrations_widgets_urls | to_json }}, + "integrations_jitsi_widget_url": {{ matrix_client_schildichat_integrations_jitsi_widget_url | string | to_json }}, + "bug_report_endpoint_url": {{ matrix_client_schildichat_bug_report_endpoint_url | to_json }}, + "show_labs_settings": {{ matrix_client_schildichat_show_lab_settings | to_json }}, + "room_directory": { + "servers": {{ matrix_client_schildichat_room_directory_servers | to_json }} + }, + "welcome_user_id": {{ matrix_client_schildichat_welcome_user_id | to_json }}, + {% if matrix_client_schildichat_enable_presence_by_hs_url is not none %} + "enable_presence_by_hs_url": {{ matrix_client_schildichat_enable_presence_by_hs_url | to_json }}, + {% endif %} + "embedded_pages": { + "homeUrl": {{ matrix_client_schildichat_embedded_pages_home_url | string | to_json }} + }, + {% if matrix_client_schildichat_jitsi_preferred_domain %} + "jitsi": { + "preferred_domain": {{ matrix_client_schildichat_jitsi_preferred_domain | to_json }} + }, + {% endif %} + {% if matrix_client_schildichat_location_sharing_enabled %} + "map_style_url": "https://{{ matrix_server_fqn_schildichat }}/map_style.json", + {% endif %} + "branding": { + "auth_footer_links": {{ matrix_client_schildichat_branding_auth_footer_links | to_json }}, + "auth_header_logo_url": {{ matrix_client_schildichat_branding_auth_header_logo_url | to_json }}, + "welcome_background_url": {{ matrix_client_schildichat_branding_welcome_background_url | to_json }} + } +} diff --git a/roles/custom/matrix-client-schildichat/templates/labels.j2 b/roles/custom/matrix-client-schildichat/templates/labels.j2 new file mode 100644 index 00000000..85e27982 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_schildichat_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_schildichat_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_schildichat_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_schildichat_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-schildichat-slashless-redirect.redirectregex.regex=({{ matrix_client_schildichat_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-schildichat-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-schildichat-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_schildichat_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-schildichat-strip-prefix.stripprefix.prefixes={{ matrix_client_schildichat_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-schildichat-strip-prefix'] %} +{% endif %} + +{% if matrix_client_schildichat_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_schildichat_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-schildichat-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-schildichat-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-schildichat.rule={{ matrix_client_schildichat_container_labels_traefik_rule }} +{% if matrix_client_schildichat_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-schildichat.priority={{ matrix_client_schildichat_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-schildichat.service=matrix-client-schildichat +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-schildichat.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-schildichat.entrypoints={{ matrix_client_schildichat_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-schildichat.tls={{ matrix_client_schildichat_container_labels_traefik_tls | to_json }} +{% if matrix_client_schildichat_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-schildichat.tls.certResolver={{ matrix_client_schildichat_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-schildichat.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_schildichat_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-schildichat/templates/map_style.json.j2 b/roles/custom/matrix-client-schildichat/templates/map_style.json.j2 new file mode 100644 index 00000000..5889e0eb --- /dev/null +++ b/roles/custom/matrix-client-schildichat/templates/map_style.json.j2 @@ -0,0 +1,18 @@ +{ + "layers": [ + { + "id": "locallayer", + "source": "localsource", + "type": "raster" + } + ], + "sources": { + "localsource": { + "attribution": {{ matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_attribution|to_json }}, + "tileSize": 256, + "tiles": {{ matrix_client_schildichat_location_sharing_map_style_content_sources_localsource_tiles|to_json }}, + "type": "raster" + } + }, + "version": 8 +} diff --git a/roles/custom/matrix-client-schildichat/templates/systemd/matrix-client-schildichat.service.j2 b/roles/custom/matrix-client-schildichat/templates/systemd/matrix-client-schildichat.service.j2 new file mode 100644 index 00000000..8905f1ed --- /dev/null +++ b/roles/custom/matrix-client-schildichat/templates/systemd/matrix-client-schildichat.service.j2 @@ -0,0 +1,57 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix schildichat server +{% for service in matrix_client_schildichat_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-schildichat 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-schildichat 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-schildichat \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_client_schildichat_container_network }} \ + {% if matrix_client_schildichat_container_http_host_bind_port %} + -p {{ matrix_client_schildichat_container_http_host_bind_port }}:8080 \ + {% endif %} + --label-file={{ matrix_client_schildichat_data_path }}/labels \ + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_schildichat_data_path }}/config.json,dst=/usr/share/nginx/html/config.json,ro \ + --mount type=bind,src={{ matrix_client_schildichat_data_path }}/config.json,dst=/usr/share/nginx/html/config.{{ matrix_server_fqn_schildichat }}.json,ro \ + {% if matrix_client_schildichat_location_sharing_enabled %} + --mount type=bind,src={{ matrix_client_schildichat_data_path }}/map_style.json,dst=/usr/share/nginx/html/map_style.json,ro \ + {% endif %} + {% if matrix_client_schildichat_embedded_pages_home_path is not none %} + --mount type=bind,src={{ matrix_client_schildichat_data_path }}/home.html,dst=/usr/share/nginx/html/home.html,ro \ + {% endif %} + --mount type=bind,src={{ matrix_client_schildichat_data_path }}/welcome.html,dst=/usr/share/nginx/html/welcome.html,ro \ + {% for arg in matrix_client_schildichat_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_schildichat_docker_image }} + +{% for network in matrix_client_schildichat_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-schildichat +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-schildichat + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-schildichat 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-schildichat 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-schildichat + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-client-schildichat/templates/welcome.html.j2 b/roles/custom/matrix-client-schildichat/templates/welcome.html.j2 new file mode 100644 index 00000000..f5b22b64 --- /dev/null +++ b/roles/custom/matrix-client-schildichat/templates/welcome.html.j2 @@ -0,0 +1,205 @@ +#jinja2: lstrip_blocks: "True" + + +
+ + + +

{{ matrix_client_schildichat_welcome_headline }}

+

{{ matrix_client_schildichat_welcome_text }}

+
+
+ +
_t("Sign In")
+ +{% if matrix_client_schildichat_registration_enabled %} + +
_t("Create Account")
+ +{% endif %} +
+{% if matrix_client_schildichat_disable_guests != true %} + + +
+ +
+ +{% endif %} +
+
diff --git a/roles/custom/matrix-client-schildichat/vars/main.yml b/roles/custom/matrix-client-schildichat/vars/main.yml new file mode 100644 index 00000000..bbd0d3dd --- /dev/null +++ b/roles/custom/matrix-client-schildichat/vars/main.yml @@ -0,0 +1,3 @@ +--- + +matrix_client_schildichat_embedded_pages_home_url: "{{ ('' if matrix_client_schildichat_embedded_pages_home_path is none else 'home.html') }}" diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 7673a7d2..5259837e 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -6,7 +6,8 @@ matrix_conduit_enabled: true matrix_conduit_docker_image: "{{ matrix_conduit_docker_image_name_prefix }}matrixconduit/matrix-conduit:{{ matrix_conduit_docker_image_tag }}" matrix_conduit_docker_image_name_prefix: "docker.io/" -matrix_conduit_docker_image_tag: "v0.5.0" +# renovate: datasource=docker depName=matrixconduit/matrix-conduit +matrix_conduit_docker_image_tag: "v0.6.0" matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}" matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit" diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 2b703bdd..43296b5f 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -23,7 +23,8 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.5.2 +# renovate: datasource=docker depName=devture/matrix-corporal +matrix_corporal_version: 2.6.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index dd25df70..3080bbd2 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,8 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.2-r4 +# renovate: datasource=docker depName=coturn/coturn +matrix_coturn_version: 4.6.2-r5 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" @@ -73,8 +74,25 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_static_auth_secret: "" # The external IP address of the machine where Coturn is. +# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done. +# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled` matrix_coturn_turn_external_ip_address: '' -matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"] +matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}" + +# Controls whether external IP address auto-detection should be attempted. +# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified. +# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url +matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}" + +# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address. +# By default, we use the official public instance. +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json + +# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url) +matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true + +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}" +matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}" matrix_coturn_allowed_peer_ips: [] diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 503ffae1..fbeba92d 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -1,5 +1,37 @@ --- +- when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool + block: + - name: Fail if enabled, but EchoIP service URL unset + when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == '' + ansible.builtin.fail: + msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url" + + # NOTE: + # `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used. + # Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4. + - name: Fetch IP address information from EchoIP service + ansible.builtin.uri: + url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}" + headers: + Content-Type: application/json + follow_redirects: none + validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}" + register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response + ignore_errors: true + check_mode: false + retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}" + delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}" + until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed + + - name: Fail if EchoIP service failed + when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)" + ansible.builtin.fail: + msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}" + + - ansible.builtin.set_fact: + matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}" + - name: Ensure Matrix Coturn path exists ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 3ed7b99f..b4688ff9 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -5,7 +5,7 @@ realm=turn.{{ matrix_server_fqn_matrix }} min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} -{% for ip in matrix_coturn_turn_external_ip_addresses|select('ne', '') %} +{% for ip in matrix_coturn_turn_external_ip_addresses %} external-ip={{ ip }} {% endfor %} diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 5cfbfe15..9830021b 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -10,7 +10,8 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_dendrite_docker_image_tag: "v0.13.1" +# renovate: datasource=docker depName=matrixdotorg/dendrite-monolith +matrix_dendrite_docker_image_tag: "v0.13.4" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" @@ -156,6 +157,7 @@ matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}: matrix_dendrite_database_hostname: "" matrix_dendrite_database_user: "dendrite" matrix_dendrite_database_password: "itsasecret" +matrix_dendrite_database_sslmode: disable matrix_dendrite_federation_api_database: "dendrite_federationapi" matrix_dendrite_key_server_database: "dendrite_keyserver" matrix_dendrite_media_api_database: "dendrite_mediaapi" diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 3c1e56e5..2ca9b062 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -223,7 +223,7 @@ federation_api: external_api: listen: http://0.0.0.0:8072 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -266,7 +266,7 @@ key_server: listen: http://0.0.0.0:7779 connect: http://key_server:7779 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -279,7 +279,7 @@ media_api: external_api: listen: http://0.0.0.0:8074 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -318,7 +318,7 @@ mscs: # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946) mscs: [] database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 5 max_idle_conns: 2 conn_max_lifetime: -1 @@ -329,7 +329,7 @@ room_server: listen: http://0.0.0.0:7770 connect: http://room_server:7770 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -342,7 +342,7 @@ sync_api: external_api: listen: http://0.0.0.0:8073 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -376,7 +376,7 @@ user_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 account_database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -394,7 +394,7 @@ push_server: listen: http://localhost:7782 connect: http://localhost:7782 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode={{ matrix_dendrite_database_sslmode }} max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -403,7 +403,7 @@ push_server: # relay_api: database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode={{ matrix_dendrite_database_sslmode }} # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index e66f9009..718b5d86 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -29,6 +29,7 @@ matrix_dimension_container_image_self_build_branch: master matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension" +# renovate: datasource=docker depName=turt2live/matrix-dimension matrix_dimension_version: latest matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 6369f109..bdf100eb 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,8 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls126 +# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver +matrix_dynamic_dns_version: 3.11.2 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/custom/matrix-email2matrix/defaults/main.yml b/roles/custom/matrix-email2matrix/defaults/main.yml index b24cc76c..cdd287a8 100644 --- a/roles/custom/matrix-email2matrix/defaults/main.yml +++ b/roles/custom/matrix-email2matrix/defaults/main.yml @@ -11,6 +11,7 @@ matrix_email2matrix_container_image_self_build: false matrix_email2matrix_container_image_self_build_repo: "https://github.com/devture/email2matrix.git" matrix_email2matrix_container_image_self_build_branch: "{{ matrix_email2matrix_version }}" +# renovate: datasource=docker depName=devture/email2matrix matrix_email2matrix_version: 1.1.0 matrix_email2matrix_docker_image_prefix: "{{ 'localhost/' if matrix_email2matrix_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_email2matrix_docker_image: "{{ matrix_email2matrix_docker_image_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml index 1d99b406..20e98a6e 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -9,7 +9,7 @@ block: - name: Ensure matrix-matrix_ldap_registration_proxy is stopped ansible.builtin.service: - name: matrix-matrix_ldap_registration_proxy + name: matrix-ldap-registration-proxy state: stopped enabled: false daemon_reload: true diff --git a/roles/custom/matrix-ma1sd/defaults/main.yml b/roles/custom/matrix-ma1sd/defaults/main.yml index 9dc32ce7..cbea37c4 100644 --- a/roles/custom/matrix-ma1sd/defaults/main.yml +++ b/roles/custom/matrix-ma1sd/defaults/main.yml @@ -8,6 +8,7 @@ matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" +# renovate: datasource=docker depName=ma1uta/ma1sd matrix_ma1sd_version: "2.5.0" matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}" diff --git a/roles/custom/matrix-mailer/defaults/main.yml b/roles/custom/matrix-mailer/defaults/main.yml index 71e87532..e901c4b0 100644 --- a/roles/custom/matrix-mailer/defaults/main.yml +++ b/roles/custom/matrix-mailer/defaults/main.yml @@ -10,7 +10,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.96-r1-0 +# renovate: datasource=docker depName=devture/exim-relay versioning=semver +matrix_mailer_version: 4.96.2-r0-0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml new file mode 100644 index 00000000..61c6f839 --- /dev/null +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -0,0 +1,700 @@ +--- +# matrix-media-repo is a highly customizable multi-domain media repository for Matrix. +# Intended for medium to large environments consisting of several homeservers, this +# media repo de-duplicates media (including remote media) while being fully compliant +# with the specification. +# See: https://github.com/turt2live/matrix-media-repo + +matrix_media_repo_enabled: false + +# matrix_media_repo_identifier controls the identifier of this media-repo instance, which influences: +# - the default storage path +# - the names of systemd services +matrix_media_repo_identifier: matrix-media-repo + +matrix_media_repo_container_image_self_build: false +matrix_media_repo_container_image_self_build_repo: "https://github.com/turt2live/matrix-media-repo.git" + +matrix_media_repo_docker_image_path: "turt2live/matrix-media-repo" +matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}" +matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else matrix_container_global_registry_prefix }}" +# renovate: datasource=docker depName=turt2live/matrix-media-repo +matrix_media_repo_docker_image_tag: "v1.2.13" +matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" + +matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}" +matrix_media_repo_config_path: "{{ matrix_media_repo_base_path }}/config" +matrix_media_repo_data_path: "{{ matrix_media_repo_base_path }}/data" +matrix_media_repo_docker_src_files_path: "{{ matrix_media_repo_base_path }}/docker-src" + +# List of systemd services that matrix-conduit.service depends on +matrix_media_repo_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-conduit.service wants +matrix_media_repo_systemd_wanted_services_list: [] + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_media_repo_container_additional_networks: [] + +# Controls whether the matrix-media-repo container exposes its HTTP port (tcp/8000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8000"), or empty string to not expose. +matrix_media_repo_container_http_host_bind_port: "" + +# Controls whether the matrix-media-repo container exposes its metrics port (tcp/9000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9000"), or empty string to not expose. +matrix_media_repo_container_metrics_host_bind_port: "" + +# Extra arguments for the Docker container +matrix_media_repo_container_extra_arguments: [] + +# matrix_media_repo_dashboard_urls contains a list of URLs with Grafana dashboard definitions. +# If the Grafana role is enabled, these dashboards will be downloaded. +matrix_media_repo_dashboard_urls: + - https://raw.githubusercontent.com/spantaleev/matrix-docker-ansible-deploy/master/roles/custom/matrix-media-repo/templates/grafana/media-repo.json + +# ***************************************************************************** +# Configuration File Settings +# ***************************************************************************** + +# General repo configuration +matrix_media_repo_bind_address: '0.0.0.0' +matrix_media_repo_port: 8000 + +# Where to store the logs, relative to where the repo is started from. Logs will be automatically +# rotated every day and held for 14 days. To disable the repo logging to files, set this to +# "-" (including quotation marks). +# +# Note: to change the log directory you'll have to restart the repository. This setting cannot be +# live reloaded. +matrix_media_repo_log_directory: "-" + +# Set to true to enable color coding in your logs. Note that this may cause escape sequences to +# appear in logs which render them unreadable, which is why colors are disabled by default. +matrix_media_repo_log_colors: false + +# Set to true to enable JSON logging for consumption by things like logstash. Note that this is +# incompatible with the log color option and will always render without colors. +matrix_media_repo_json_logs: false + +# The log level to log at. Note that this will need to be at least "info" to receive support. +# +# Values (in increasing spam): panic | fatal | error | warn | info | debug | trace +matrix_media_repo_log_level: "info" + +# If true, the media repo will accept any X-Forwarded-For header without validation. In most cases +# this option should be left as "false". Note that the media repo already expects an X-Forwarded-For +# header, but validates it to ensure the IP being given makes sense. +matrix_media_repo_trust_any_forwarded_address: false + +# If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. +# Typically this should remain as true, though in some circumstances it may need to be disabled. +# See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. +matrix_media_repo_use_forwarded_host: true + +# Options for dealing with federation + +# On a per-host basis, the number of consecutive failures in calling the host before the +# media repo will back off. This defaults to 20 if not given. Note that 404 errors from +# the remote server do not count towards this. +matrix_media_repo_federation_backoff_at: 20 + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +matrix_media_repo_database_username: "matrix_media_repo" +matrix_media_repo_database_password: "your_password" +matrix_media_repo_database_hostname: "{{ devture_postgres_identifier }}" +matrix_media_repo_database_port: 5432 +matrix_media_repo_database_name: "matrix_media_repo" +matrix_media_repo_database_sslmode: disable + +# Currently only "postgres" is supported. +matrix_media_repo_database_postgres: "postgres://{{ matrix_media_repo_database_username }}:{{ matrix_media_repo_database_password }}@{{ matrix_media_repo_database_hostname }}:{{ matrix_media_repo_database_port }}/{{ matrix_media_repo_database_name }}?sslmode={{ matrix_media_repo_database_sslmode }}" + +# The database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +matrix_media_repo_homeservers: + homeservers: + # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + - name: "{{ matrix_server_fqn_matrix }}" + + # The base URL to where the homeserver can actually be reached + csApi: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" + + # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + backoffAt: 10 + + # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". + adminApiKind: "{{ 'synapse' if matrix_homeserver_implementation == 'synapse' else 'matrix' }}" + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +matrix_media_repo_access_tokens: + accessTokens: + # The maximum time a cached access token will be considered valid. Set to zero (the default) + # to disable the cache and constantly hit the homeserver. This is recommended to be set to + # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and + # zero for servers who do not proxy the endpoints through. + maxCacheTimeSeconds: 43200 + + # Whether or not to use the `appservices` config option below. If disabled (the default), + # the regular access token cache will be used for each user, potentially leading to high + # memory usage. + useLocalAppserviceConfig: false + + # The application services (and their namespaces) registered on the homeserver. Only used + # if `useLocalAppserviceConfig` is enabled (recommended). + # + # Usually the appservice will provide you with these config details - they'll just need + # translating from the appservice registration to here. Note that this does not require + # all options from the registration, and only requires the bare minimum required to run + # the media repo. + # appservices: + # - id: Name_of_appservice_for_your_reference + # asToken: Secret_token_for_appservices_to_use + # senderUserId: "@_example_bridge:yourdomain.com" + # userNamespaces: + # - regex: "@_example_bridge_.+:yourdomain.com" + # # A note about regexes: it is best to suffix *all* namespaces with the homeserver + # # domain users are valid for, as otherwise the appservice can use any user with + # # any domain name it feels like, even if that domain is not configured with the + # # media repo. This will lead to inaccurate reporting in the case of the media + # # repo, and potentially leading to media being considered "remote". + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +# Set this to true to enable shared secret auth. +matrix_media_repo_shared_secret_auth_enabled: false + +# Use a secure value here to prevent unauthorized access to the media repository. +matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + # region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + # storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. + +# Whether archiving is enabled or not. Default enabled. +matrix_media_repo_archiving_enabled: true +# If true, users can request a copy of their own data. By default, only repository administrators +# can request a copy. +# This includes the ability for homeserver admins to request a copy of their own server's +# data, as known to the repo. +matrix_media_repo_archiving_self_service: false +# The number of bytes to target per archive before breaking up the files. This is independent +# of any file upload limits and will require a similar amount of memory when performing an export. +# The file size is also a target, not a guarantee - it is possible to have files that are smaller +# or larger than the target. This is recommended to be approximately double the size of your +# file upload limit, provided there is enough memory available for the demand of exporting. +matrix_media_repo_archiving_target_bytes_per_part: 209715200 # 200mb default + +# The file upload settings for the media repository +matrix_media_repo_uploads: + uploads: + # The maximum individual file size a user can upload. + maxBytes: 104857600 # 100MB default, 0 to disable + + # The minimum number of bytes to let people upload. This is recommended to be non-zero to + # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend + # to waste more CPU and database resources than small files, thus a default of 100 bytes + # is applied here as an approximate break-even point. + minBytes: 100 # 100 bytes by default + + # The number of bytes to claim as the maximum size for uploads for the limits API. If this + # is not provided then the maxBytes setting will be used instead. This is useful to provide + # if the media repo's settings and the reverse proxy do not match for maximum request size. + # This is purely for informational reasons and does not actually limit any functionality. + # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. + reportedMaxBytes: 0 + + # Options for limiting how much content a user can upload. Quotas are applied to content + # associated with a user regardless of de-duplication. Quotas which affect remote servers + # or users will not take effect. When a user exceeds their quota they will be unable to + # upload any more media. + quotas: + # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo + # will track how much media a user has uploaded. This is disabled by default. + enabled: false + + # The quota rules that affect users. The first rule to match the uploader will take effect. + # An implied rule which matches all users and has no quota is always last in this list, + # meaning that if no rules are supplied then users will be able to upload anything. Similarly, + # if no rules match a user then the implied rule will match, allowing the user to have no + # quota. The quota will let the user upload to 1 media past their quota, meaning that from + # a statistics perspective the user might exceed their quota however only by a small amount. + users: + - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. + maxBytes: 53687063712 # 50GB default, 0 to disable + +# Settings related to downloading files from the media repository + +# The maximum number of bytes to download from other servers +matrix_media_repo_downloads_max_bytes: 104857600 # 100MB default, 0 to disable + +# The number of workers to use when downloading remote media. Raise this number if remote +# media is downloading slowly or timing out. +# +# Maximum memory usage = numWorkers multiplied by the maximum download size +# Average memory usage is dependent on how many concurrent downloads your users are doing. +matrix_media_repo_downloads_num_workers: 10 + +# How long, in minutes, to cache errors related to downloading remote media. Once this time +# has passed, the media is able to be re-requested. +matrix_media_repo_downloads_failure_cache_minutes: 5 + +# The cache control settings for downloads. This can help speed up downloads for users by +# keeping popular media in the cache. This cache is also used for thumbnails. +matrix_media_repo_downloads_cache_enabled: true + +# The maximum size of cache to have. Higher numbers are better. +matrix_media_repo_downloads_cache_max_size_bytes: 1048576000 # 1GB default + +# The maximum file size to cache. This should normally be the same size as your maximum +# upload size. +matrix_media_repo_downloads_cache_max_file_size_bytes: 104857600 # 100MB default + +# The number of minutes to track how many downloads a file gets +matrix_media_repo_downloads_cache_tracked_minutes: 30 + +# The number of downloads a file must receive in the window above (trackedMinutes) in +# order to be cached. +matrix_media_repo_downloads_cache_min_downloads: 5 + +# The minimum amount of time an item should remain in the cache. This prevents the cache +# from cycling out the file if it needs more room during this time. Note that the media +# repo regularly cleans out media which is past this point from the cache, so this number +# may need increasing depending on your use case. If the maxSizeBytes is reached for the +# media repo, and some cached items are still under this timer, new items will not be able +# to enter the cache. When this happens, consider raising maxSizeBytes or lowering this +# timer. +matrix_media_repo_downloads_cache_min_cache_time_seconds: 300 + +# The minimum amount of time an item should remain outside the cache once it is removed. +matrix_media_repo_downloads_cache_min_evicted_time_seconds: 60 + +# How many days after a piece of remote content is downloaded before it expires. It can be +# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or +# negative to disable. Defaults to disabled. +matrix_media_repo_downloads_expire_after_days: 0 + +# URL Preview settings +matrix_media_repo_url_previews: + urlPreviews: + enabled: true # If enabled, the preview_url routes will be accessible + maxPageSizeBytes: 10485760 # 10MB default, 0 to disable + + # If true, the media repository will try to provide previews for URLs with invalid or unsafe + # certificates. If false (the default), the media repo will fail requests to said URLs. + previewUnsafeCertificates: false + + # Note: URL previews are limited to a given number of words, which are then limited to a number + # of characters, taking off the last word if it needs to. This also applies for the title. + + numWords: 50 # The number of words to include in a preview (maximum) + maxLength: 200 # The maximum number of characters for a description + + numTitleWords: 30 # The maximum number of words to include in a preview's title + maxTitleLength: 150 # The maximum number of characters for a title + + # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are + # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be + # an image and the image's type must be allowed by the thumbnailer. + filePreviewTypes: + - "image/*" + + # The number of workers to use when generating url previews. Raise this number if url + # previews are slow or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum page size + # Average memory usage is dependent on how many concurrent urls your users are previewing. + numWorkers: 10 + + # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they + # will be merged. URL previews will be disabled if neither is supplied. Each entry must be + # a CIDR range. + disallowedNetworks: + - "127.0.0.1/8" + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - "100.64.0.0/10" + - "169.254.0.0/16" + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + allowedNetworks: + # "Everything". The blacklist will help limit this. + # This is the default value for this field. + - "0.0.0.0/0" + + # How many days after a preview is generated before it expires and is deleted. The preview + # can be regenerated safely - this just helps free up some space in your database. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + + # The default Accept-Language header to supply when generating URL previews when one isn't + # supplied by the client. + # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language + defaultLanguage: "en-US,en" + + # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for + # sites that do not support OpenGraph or page scraping, such as Twitter. For information on + # specifying providers for oEmbed, including your own, see the following documentation: + # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html + # Defaults to disabled. + oEmbed: false + +# The thumbnail configuration for the media repository. +matrix_media_repo_thumbnails: + thumbnails: + # The maximum number of bytes an image can be before the thumbnailer refuses. + maxSourceBytes: 10485760 # 10MB default, 0 to disable + + # The maximum number of pixels an image can have before the thumbnailer refuses. Note that + # this only applies to image types: file types like audio and video are affected solely by + # the maxSourceBytes. + maxPixels: 32000000 # 32M default + + # The number of workers to use when generating thumbnails. Raise this number if thumbnails + # are slow to generate or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum image source size + # Average memory usage is dependent on how many thumbnails are being generated by your users + numWorkers: 100 + + # All thumbnails are generated into one of the sizes listed here. The first size is used as + # the default for when no width or height is requested. The media repository will return + # either an exact match or the next largest size of thumbnail. + sizes: + - width: 32 + height: 32 + - width: 96 + height: 96 + - width: 320 + height: 240 + - width: 640 + height: 480 + - width: 768 # This size is primarily used for audio thumbnailing. + height: 240 + - width: 800 + height: 600 + + # To allow for thumbnails to be any size, not just in the sizes specified above, set this to + # true (default false). When enabled, whatever size requested by the client will be generated + # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, + # specify only one size in the `sizes` list when this option is enabled. + dynamicSizing: false + + # The content types to thumbnail when requested. Types that are not supported by the media repo + # will not be thumbnailed (adding application/json here won't work). Clients may still not request + # thumbnails for these types - this won't make clients automatically thumbnail these file types. + types: + - "image/jpeg" + - "image/jpg" + - "image/png" + - "image/apng" + - "image/gif" + - "image/heif" + - "image/webp" + # - "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files + - "audio/mpeg" + - "audio/ogg" + - "audio/wav" + - "audio/flac" + # - "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files + + # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated + # thumbnails, set this to false. If disabled, regular thumbnails will be returned. + allowAnimated: true + + # Default to animated thumbnails, if available + defaultAnimated: false + + # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image + # is larger than this, the thumbnail will be generated as a static image. + maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable + + # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try + # and thumbnail animated content? Defaults to 0.5 (middle of animation). + stillFrame: 0.5 + + # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail + # can be regenerated safely - this just helps free up some space in your datastores. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + +# Controls for the rate limit functionality + +# Set this to false if rate limiting is handled at a higher level or you don't want it enabled. +matrix_media_repo_rate_limit_enabled: true + +# The number of requests per second before an IP will be rate limited. Must be a whole number. +matrix_media_repo_rate_limit_requests_per_second: 1 + +# The number of requests an IP can send at once before the rate limit is actually considered. +matrix_media_repo_rate_limit_burst: 10 + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +matrix_media_repo_identicons_enabled: true + +# The quarantine media settings. + +# If true, when a thumbnail of quarantined media is requested an image will be returned. If no +# image is given in the thumbnailPath below then a generated image will be provided. This does +# not affect regular downloads of files. +matrix_media_repo_quarantine_replace_thumbnails: true + +# If true, when media which has been quarantined is requested an image will be returned. If +# no image is given in the thumbnailPath below then a generated image will be provided. This +# will replace media which is not an image (ie: quarantining a PDF will replace the PDF with +# an image). +matrix_media_repo_quarantine_replace_downloads: false + +# If provided, the given image will be returned as a thumbnail for media that is quarantined. +matrix_media_repo_quarantine_thumbnail_path: "" + +# If true, administrators of the configured homeservers may quarantine media for their server +# only. Global administrators can quarantine any media (local or remote) regardless of this +# flag. +matrix_media_repo_quarantine_allow_local_admins: true + +# The various timeouts that the media repo will use. + +# The maximum amount of time the media repo should spend trying to fetch a resource that is +# being previewed. +matrix_media_repo_timeouts_url_preview_timeout_seconds: 10 + +# The maximum amount of time the media repo will spend making remote requests to other repos +# or homeservers. This is primarily used to download media. +matrix_media_repo_timeouts_federation_timeout_seconds: 120 + +# The maximum amount of time the media repo will spend talking to your configured homeservers. +# This is usually used to verify a user's identity. +matrix_media_repo_timeouts_client_server_timeout_seconds: 30 + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json + +# If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. +matrix_media_repo_metrics_enabled: false + +# The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. +matrix_media_repo_metrics_bind_address: "0.0.0.0" + +# The port to listen on. Cannot be the same as the general web server port. +matrix_media_repo_metrics_port: 9000 + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. +matrix_media_repo_plugins: + plugins: [] + + # An example OCR plugin to block images with certain text. Note that the Docker image + # for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +matrix_media_repo_feature_support: + featureSupport: + # MSC2248 - Blurhash + MSC2448: + # Whether or not this MSC is enabled for use in the media repo + enabled: false + + # Maximum dimensions for converting a blurhash to an image. When no width and + # height options are supplied, the default will be half these values. + maxWidth: 1024 + maxHeight: 1024 + + # Thumbnail size in pixels to use to generate the blurhash string + thumbWidth: 64 + thumbHeight: 64 + + # The X and Y components to use. Higher numbers blur less, lower numbers blur more. + xComponents: 4 + yComponents: 3 + + # The amount of contrast to apply when converting a blurhash to an image. Lower values + # make the effect more subtle, larger values make it stronger. + punch: 1 + + # IPFS Support + # This is currently experimental and might not work at all. + IPFS: + # Whether or not IPFS support is enabled for use in the media repo. + enabled: false + + # Options for the built in IPFS daemon + builtInDaemon: + # Enable this to spawn an in-process IPFS node to use instead of a localhost + # HTTP agent. If this is disabled, the media repo will assume you have an HTTP + # IPFS agent running and accessible. Defaults to using a daemon (true). + enabled: true + + # If the Daemon is enabled, set this to the location where the IPFS files should + # be stored. If you're using Docker, this should be something like "/data/ipfs" + # so it can be mapped to a volume. + repoPath: "./ipfs" + + # Support for redis as a cache mechanism + # + # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. + # It can be safely disabled once Redis support is enabled. + # + # See docs/redis.md for more information on how this works and how to set it up. + redis: + # Whether or not use Redis instead of in-process caching. + enabled: false + + # The Redis shards that should be used by the media repo in the ring. The names of the + # shards are for your reference and have no bearing on the connection, but must be unique. + shards: + - name: "server1" + addr: ":7000" + - name: "server2" + addr: ":7001" + - name: "server3" + addr: ":7002" + +# Optional sentry (https://sentry.io/) configuration for the media repo + +# Whether or not to set up error reporting. Defaults to off. +matrix_media_repo_sentry_enabled: false + +# Get this value from the setup instructions in Sentry +matrix_media_repo_sentry_dsn: "https://examplePublicKey@ingest.sentry.io/0" + +# Optional environment flag. Defaults to an empty string. +matrix_media_repo_sentry_environment: "" + +# Whether or not to turn on sentry's built in debugging. This will increase log output. +matrix_media_repo_sentry_debug: false diff --git a/roles/custom/matrix-media-repo/tasks/main.yml b/roles/custom/matrix-media-repo/tasks/main.yml new file mode 100644 index 00000000..03c26ec5 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- tags: + - setup-all + - setup-matrix-media-repo + - install-all + - install-matrix-media-repo + block: + - when: matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-matrix-media-repo + block: + - when: not matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml new file mode 100644 index 00000000..3bcbed96 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -0,0 +1,88 @@ +--- + +- name: Ensure media-repo paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_media_repo_base_path }}" + when: true + - path: "{{ matrix_media_repo_config_path }}" + when: true + - path: "{{ matrix_media_repo_data_path }}" + when: true + - path: "{{ matrix_media_repo_docker_src_files_path }}" + when: "{{ matrix_media_repo_container_image_self_build }}" + when: "item.when | bool" + +- name: Ensure media-repo support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/{{ item }}.j2" + dest: "{{ matrix_media_repo_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + +- name: Ensure media-repo configuration installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/media-repo.yaml.j2" + dest: "{{ matrix_media_repo_config_path }}/media-repo.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure media-repo Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_media_repo_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_media_repo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_docker_image_force_pull }}" + when: "not matrix_media_repo_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "matrix_media_repo_container_image_self_build | bool" + block: + - name: Ensure media-repo repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_media_repo_container_image_self_build_repo }}" + dest: "{{ matrix_media_repo_docker_src_files_path }}" + version: "{{ matrix_media_repo_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_media_repo_git_pull_results + + - name: Check if media-repo Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_media_repo_docker_image }}'" + register: matrix_media_repo_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure media-repo Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_media_repo_docker_image }} {{ matrix_media_repo_docker_src_files_path }}" + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''" + +- name: Ensure media-repo container network is created + community.general.docker_network: + name: "{{ matrix_media_repo_container_network }}" + driver: bridge + +- name: Ensure media-repo service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + mode: 0640 diff --git a/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml new file mode 100644 index 00000000..449cd48b --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of media-repo service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + register: matrix_media_repo_service_stat + +- when: matrix_media_repo_service_stat.stat.exists | bool + block: + - name: Ensure media-repo is stopped + ansible.builtin.systemd: + name: "{{ matrix_media_repo_identifier }}" + state: stopped + daemon_reload: true + + - name: Ensure media-repo service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" + state: absent diff --git a/roles/custom/matrix-media-repo/templates/grafana/media-repo.json b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json new file mode 100644 index 00000000..1fb68e0a --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json @@ -0,0 +1,991 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 9, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_invalid_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'Invalid Host: {{method}} {{action}}' }}", + "refId": "B" + } + ], + "title": "HTTP Requsts", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 3, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_responses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}} {{statusCode}}' }}", + "refId": "A" + } + ], + "title": "HTTP Responses", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 8, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_alloc_bytes", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "memory usage (alloc)", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_sys_bytes", + "interval": "", + "legendFormat": "memory usage (sys)", + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_alloc_bytes", + "interval": "", + "legendFormat": "heap usage (alloc)", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_idle_bytes", + "interval": "", + "legendFormat": "heap usage (idle)", + "refId": "D" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_inuse_bytes", + "interval": "", + "legendFormat": "heap usage (used)", + "refId": "E" + } + ], + "title": "Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 4, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_bytes_used", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'size of cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_bytes_used", + "interval": "", + "legendFormat": "{{ 'live size of cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (Bytes)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 18 + }, + "id": 9, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_items", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'items in cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_items", + "interval": "", + "legendFormat": "{{ 'live items in cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (# of items)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 18 + }, + "id": 5, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_hits_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'hits in {{cache}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_misses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'misses in {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_evictions_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'evictions due to {{reason}} in {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Operations", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 27 + }, + "id": 6, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_thumbnails_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{origin}} {{width}}x{{height}} {{method}} animated={{animated}}' }}", + "refId": "A" + } + ], + "title": "Thumbnail Generation", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 27 + }, + "id": 7, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_downloaded_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'downloads from {{origin}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_url_previews_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'preview with engine: {{type}}' }}", + "refId": "B" + } + ], + "title": "Resource Handling", + "type": "timeseries" + } + ], + "refresh": "1m", + "schemaVersion": 38, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Media Repo Dashboard", + "uid": "xJUZ3xfmk", + "version": 2, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/env.j2 b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 new file mode 100644 index 00000000..8b26f77d --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 @@ -0,0 +1 @@ +REPO_CONFIG=/config/media-repo.yaml diff --git a/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 new file mode 100644 index 00000000..c304c1c2 --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 @@ -0,0 +1,619 @@ +# General repo configuration +repo: + bindAddress: {{ matrix_media_repo_bind_address | to_json }} + port: {{ matrix_media_repo_port | to_json }} + + # Where to store the logs, relative to where the repo is started from. Logs will be automatically + # rotated every day and held for 14 days. To disable the repo logging to files, set this to + # "-" (including quotation marks). + # + # Note: to change the log directory you'll have to restart the repository. This setting cannot be + # live reloaded. + logDirectory: {{ matrix_media_repo_log_directory | to_json }} + + # Set to true to enable color coding in your logs. Note that this may cause escape sequences to + # appear in logs which render them unreadable, which is why colors are disabled by default. + logColors: {{ matrix_media_repo_log_colors | to_json }} + + # Set to true to enable JSON logging for consumption by things like logstash. Note that this is + # incompatible with the log color option and will always render without colors. + jsonLogs: {{ matrix_media_repo_json_logs | to_json }} + + # The log level to log at. Note that this will need to be at least "info" to receive support. + # + # Values (in increasing spam): panic | fatal | error | warn | info | debug | trace + logLevel: {{ matrix_media_repo_log_level | to_json }} + + # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases + # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For + # header, but validates it to ensure the IP being given makes sense. + trustAnyForwardedAddress: {{ matrix_media_repo_trust_any_forwarded_address | to_json }} + + # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. + # Typically this should remain as true, though in some circumstances it may need to be disabled. + # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. + useForwardedHost: {{ matrix_media_repo_use_forwarded_host | to_json }} + +# Options for dealing with federation +federation: + # On a per-host basis, the number of consecutive failures in calling the host before the + # media repo will back off. This defaults to 20 if not given. Note that 404 errors from + # the remote server do not count towards this. + backoffAt: {{ matrix_media_repo_federation_backoff_at | to_json }} + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +database: + # Currently only "postgres" is supported. + postgres: {{ matrix_media_repo_database_postgres | to_json }} + + # The database pooling options + pool: + # The maximum number of connects to hold open. More of these allow for more concurrent + # processes to happen. + maxConnections: {{ matrix_media_repo_database_max_connections | to_json }} + + # The maximum number of connects to leave idle. More of these reduces the time it takes + # to serve requests in low-traffic scenarios. + maxIdleConnections: {{ matrix_media_repo_database_max_idle_connections | to_json }} + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +#homeservers: +# - name: example.org # This should match the server_name of your homeserver, and the Host header +# # provided to the media repo. +# csApi: "https://example.org/" # The base URL to where the homeserver can actually be reached +# backoffAt: 10 # The number of consecutive failures in calling this homeserver before the +# # media repository will start backing off. This defaults to 10 if not given. +# adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", +# # the media repo will use the Synapse-defined endpoints under the +# # unstable client-server API. When this is "synapse", the new /_synapse +# # endpoints will be used instead. Unknown values are treated as the +# # default, "matrix". +{{ matrix_media_repo_homeservers | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +# accessTokens: +# # The maximum time a cached access token will be considered valid. Set to zero (the default) +# # to disable the cache and constantly hit the homeserver. This is recommended to be set to +# # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and +# # zero for servers who do not proxy the endpoints through. +# maxCacheTimeSeconds: 0 +# +# # Whether or not to use the `appservices` config option below. If disabled (the default), +# # the regular access token cache will be used for each user, potentially leading to high +# # memory usage. +# useLocalAppserviceConfig: false +# +# # The application services (and their namespaces) registered on the homeserver. Only used +# # if `useLocalAppserviceConfig` is enabled (recommended). +# # +# # Usually the appservice will provide you with these config details - they'll just need +# # translating from the appservice registration to here. Note that this does not require +# # all options from the registration, and only requires the bare minimum required to run +# # the media repo. +# appservices: +# - id: Name_of_appservice_for_your_reference +# asToken: Secret_token_for_appservices_to_use +# senderUserId: "@_example_bridge:yourdomain.com" +# userNamespaces: +# - regex: "@_example_bridge_.+:yourdomain.com" +# # A note about regexes: it is best to suffix *all* namespaces with the homeserver +# # domain users are valid for, as otherwise the appservice can use any user with +# # any domain name it feels like, even if that domain is not configured with the +# # media repo. This will lead to inaccurate reporting in the case of the media +# # repo, and potentially leading to media being considered "remote". +{{ matrix_media_repo_access_tokens | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +{{ matrix_media_repo_admins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +sharedSecretAuth: + # Set this to true to enable shared secret auth. + enabled: {{ matrix_media_repo_shared_secret_auth_enabled | to_json }} + + # Use a secure value here to prevent unauthorized access to the media repository. + token: {{ matrix_media_repo_shared_secret_auth_token | to_json }} + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +# datastores: +# - type: file +# enabled: false # Enable this to set up data storage. +# # Datastores can be split into many areas when handling uploads. Media is still de-duplicated +# # across all datastores (local content which duplicates remote content will re-use the remote +# # content's location). This option is useful if your datastore is becoming very large, or if +# # you want faster storage for a particular kind of media. +# # +# # The kinds available are: +# # thumbnails - Used to store thumbnails of media (local and remote). +# # remote_media - Original copies of remote media (servers not configured by this repo). +# # local_media - Original uploads for local media. +# # archives - Archives of content (GDPR and similar requests). +# forKinds: ["thumbnails"] +# opts: +# path: /var/matrix/media +# +# - type: s3 +# enabled: false # Enable this to set up s3 uploads +# forKinds: ["thumbnails", "remote_media", "local_media", "archives"] +# opts: +# # The s3 uploader needs a temporary location to buffer files to reduce memory usage on +# # small file uploads. If the file size is unknown, the file is written to this location +# # before being uploaded to s3 (then the file is deleted). If you aren't concerned about +# # memory usage, set this to an empty string. +# tempPath: "/tmp/mediarepo_s3_upload" +# endpoint: sfo2.digitaloceanspaces.com +# accessKeyId: "" +# accessSecret: "" +# ssl: true +# bucketName: "your-media-bucket" +# # An optional region for where this S3 endpoint is located. Typically not needed, though +# # some providers will need this (like Scaleway). Uncomment to use. +# #region: "sfo2" +# +# # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If +# # the feature is not enabled, this will not work. Note that IPFS support is experimental at +# # the moment and not recommended for general use. +# # +# # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo +# # puts authentication on the download endpoints. Only use this option for cases where you +# # expect your media to be publicly accessible. +# - type: ipfs +# enabled: false # Enable this to use IPFS support +# forKinds: ["local_media"] +# # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured +# # in the IPFS section of your main config. +# opts: {} +{{ matrix_media_repo_datastores | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. +archiving: + # Whether archiving is enabled or not. Default enabled. + enabled: {{ matrix_media_repo_archiving_enabled | to_json }} + # If true, users can request a copy of their own data. By default, only repository administrators + # can request a copy. + # This includes the ability for homeserver admins to request a copy of their own server's + # data, as known to the repo. + selfService: {{ matrix_media_repo_archiving_self_service | to_json }} + # The number of bytes to target per archive before breaking up the files. This is independent + # of any file upload limits and will require a similar amount of memory when performing an export. + # The file size is also a target, not a guarantee - it is possible to have files that are smaller + # or larger than the target. This is recommended to be approximately double the size of your + # file upload limit, provided there is enough memory available for the demand of exporting. + targetBytesPerPart: {{ matrix_media_repo_archiving_target_bytes_per_part | to_json }} # 200mb default + +# The file upload settings for the media repository +# uploads: +# # The maximum individual file size a user can upload. +# maxBytes: 104857600 # 100MB default, 0 to disable +# +# # The minimum number of bytes to let people upload. This is recommended to be non-zero to +# # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend +# # to waste more CPU and database resources than small files, thus a default of 100 bytes +# # is applied here as an approximate break-even point. +# minBytes: 100 # 100 bytes by default +# +# # The number of bytes to claim as the maximum size for uploads for the limits API. If this +# # is not provided then the maxBytes setting will be used instead. This is useful to provide +# # if the media repo's settings and the reverse proxy do not match for maximum request size. +# # This is purely for informational reasons and does not actually limit any functionality. +# # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. +# #reportedMaxBytes: 104857600 +# +# # Options for limiting how much content a user can upload. Quotas are applied to content +# # associated with a user regardless of de-duplication. Quotas which affect remote servers +# # or users will not take effect. When a user exceeds their quota they will be unable to +# # upload any more media. +# quotas: +# # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo +# # will track how much media a user has uploaded. This is disabled by default. +# enabled: false +# +# # The quota rules that affect users. The first rule to match the uploader will take effect. +# # An implied rule which matches all users and has no quota is always last in this list, +# # meaning that if no rules are supplied then users will be able to upload anything. Similarly, +# # if no rules match a user then the implied rule will match, allowing the user to have no +# # quota. The quota will let the user upload to 1 media past their quota, meaning that from +# # a statistics perspective the user might exceed their quota however only by a small amount. +# users: +# - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. +# maxBytes: 53687063712 # 50GB default, 0 to disable +{{ matrix_media_repo_uploads | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Settings related to downloading files from the media repository +downloads: + # The maximum number of bytes to download from other servers + maxBytes: {{ matrix_media_repo_downloads_max_bytes | to_json }} # 100MB default, 0 to disable + + # The number of workers to use when downloading remote media. Raise this number if remote + # media is downloading slowly or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum download size + # Average memory usage is dependent on how many concurrent downloads your users are doing. + numWorkers: {{ matrix_media_repo_downloads_num_workers | to_json }} + + # How long, in minutes, to cache errors related to downloading remote media. Once this time + # has passed, the media is able to be re-requested. + failureCacheMinutes: {{ matrix_media_repo_downloads_failure_cache_minutes | to_json }} + + # The cache control settings for downloads. This can help speed up downloads for users by + # keeping popular media in the cache. This cache is also used for thumbnails. + cache: + enabled: {{ matrix_media_repo_downloads_cache_enabled | to_json }} + + # The maximum size of cache to have. Higher numbers are better. + maxSizeBytes: {{ matrix_media_repo_downloads_cache_max_size_bytes | to_json }} # 1GB default + + # The maximum file size to cache. This should normally be the same size as your maximum + # upload size. + maxFileSizeBytes: {{ matrix_media_repo_downloads_cache_max_file_size_bytes | to_json }} # 100MB default + + # The number of minutes to track how many downloads a file gets + trackedMinutes: {{ matrix_media_repo_downloads_cache_tracked_minutes | to_json }} + + # The number of downloads a file must receive in the window above (trackedMinutes) in + # order to be cached. + minDownloads: {{ matrix_media_repo_downloads_cache_min_downloads | to_json }} + + # The minimum amount of time an item should remain in the cache. This prevents the cache + # from cycling out the file if it needs more room during this time. Note that the media + # repo regularly cleans out media which is past this point from the cache, so this number + # may need increasing depending on your use case. If the maxSizeBytes is reached for the + # media repo, and some cached items are still under this timer, new items will not be able + # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this + # timer. + minCacheTimeSeconds: {{ matrix_media_repo_downloads_cache_min_cache_time_seconds | to_json }} + + # The minimum amount of time an item should remain outside the cache once it is removed. + minEvictedTimeSeconds: {{ matrix_media_repo_downloads_cache_min_evicted_time_seconds | to_json }} + + # How many days after a piece of remote content is downloaded before it expires. It can be + # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or + # negative to disable. Defaults to disabled. + expireAfterDays: {{ matrix_media_repo_downloads_expire_after_days | to_json }} + +# URL Preview settings +# urlPreviews: +# enabled: true # If enabled, the preview_url routes will be accessible +# maxPageSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # If true, the media repository will try to provide previews for URLs with invalid or unsafe +# # certificates. If false (the default), the media repo will fail requests to said URLs. +# previewUnsafeCertificates: false +# +# # Note: URL previews are limited to a given number of words, which are then limited to a number +# # of characters, taking off the last word if it needs to. This also applies for the title. +# +# numWords: 50 # The number of words to include in a preview (maximum) +# maxLength: 200 # The maximum number of characters for a description +# +# numTitleWords: 30 # The maximum number of words to include in a preview's title +# maxTitleLength: 150 # The maximum number of characters for a title +# +# # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are +# # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be +# # an image and the image's type must be allowed by the thumbnailer. +# filePreviewTypes: +# - "image/*" +# +# # The number of workers to use when generating url previews. Raise this number if url +# # previews are slow or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum page size +# # Average memory usage is dependent on how many concurrent urls your users are previewing. +# numWorkers: 10 +# +# # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they +# # will be merged. URL previews will be disabled if neither is supplied. Each entry must be +# # a CIDR range. +# disallowedNetworks: +# - "127.0.0.1/8" +# - "10.0.0.0/8" +# - "172.16.0.0/12" +# - "192.168.0.0/16" +# - "100.64.0.0/10" +# - "169.254.0.0/16" +# - '::1/128' +# - 'fe80::/64' +# - 'fc00::/7' +# allowedNetworks: +# - "0.0.0.0/0" # "Everything". The blacklist will help limit this. +# # This is the default value for this field. +# +# # How many days after a preview is generated before it expires and is deleted. The preview +# # can be regenerated safely - this just helps free up some space in your database. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +# +# # The default Accept-Language header to supply when generating URL previews when one isn't +# # supplied by the client. +# # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language +# defaultLanguage: "en-US,en" +# +# # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for +# # sites that do not support OpenGraph or page scraping, such as Twitter. For information on +# # specifying providers for oEmbed, including your own, see the following documentation: +# # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html +# # Defaults to disabled. +# oEmbed: false +{{ matrix_media_repo_url_previews | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false)}} + +# The thumbnail configuration for the media repository. +# thumbnails: +# # The maximum number of bytes an image can be before the thumbnailer refuses. +# maxSourceBytes: 10485760 # 10MB default, 0 to disable +# +# # The maximum number of pixels an image can have before the thumbnailer refuses. Note that +# # this only applies to image types: file types like audio and video are affected solely by +# # the maxSourceBytes. +# maxPixels: 32000000 # 32M default +# +# # The number of workers to use when generating thumbnails. Raise this number if thumbnails +# # are slow to generate or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum image source size +# # Average memory usage is dependent on how many thumbnails are being generated by your users +# numWorkers: 100 +# +# # All thumbnails are generated into one of the sizes listed here. The first size is used as +# # the default for when no width or height is requested. The media repository will return +# # either an exact match or the next largest size of thumbnail. +# sizes: +# - width: 32 +# height: 32 +# - width: 96 +# height: 96 +# - width: 320 +# height: 240 +# - width: 640 +# height: 480 +# - width: 768 # This size is primarily used for audio thumbnailing. +# height: 240 +# - width: 800 +# height: 600 +# +# # To allow for thumbnails to be any size, not just in the sizes specified above, set this to +# # true (default false). When enabled, whatever size requested by the client will be generated +# # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, +# # specify only one size in the `sizes` list when this option is enabled. +# dynamicSizing: false +# +# # The content types to thumbnail when requested. Types that are not supported by the media repo +# # will not be thumbnailed (adding application/json here won't work). Clients may still not request +# # thumbnails for these types - this won't make clients automatically thumbnail these file types. +# types: +# - "image/jpeg" +# - "image/jpg" +# - "image/png" +# - "image/apng" +# - "image/gif" +# - "image/heif" +# - "image/webp" +# #- "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files +# - "audio/mpeg" +# - "audio/ogg" +# - "audio/wav" +# - "audio/flac" +# #- "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files +# +# # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated +# # thumbnails, set this to false. If disabled, regular thumbnails will be returned. +# allowAnimated: true +# +# # Default to animated thumbnails, if available +# defaultAnimated: false +# +# # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image +# # is larger than this, the thumbnail will be generated as a static image. +# maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try +# # and thumbnail animated content? Defaults to 0.5 (middle of animation). +# stillFrame: 0.5 +# +# # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail +# # can be regenerated safely - this just helps free up some space in your datastores. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +{{ matrix_media_repo_thumbnails | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Controls for the rate limit functionality +rateLimit: + # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. + enabled: {{ matrix_media_repo_rate_limit_enabled | to_json }} + + # The number of requests per second before an IP will be rate limited. Must be a whole number. + requestsPerSecond: {{ matrix_media_repo_rate_limit_requests_per_second | to_json }} + + # The number of requests an IP can send at once before the rate limit is actually considered. + burst: {{ matrix_media_repo_rate_limit_burst | to_json }} + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +identicons: + enabled: {{ matrix_media_repo_identicons_enabled | to_json }} + +# The quarantine media settings. +quarantine: + # If true, when a thumbnail of quarantined media is requested an image will be returned. If no + # image is given in the thumbnailPath below then a generated image will be provided. This does + # not affect regular downloads of files. + replaceThumbnails: {{ matrix_media_repo_quarantine_replace_thumbnails | to_json }} + + # If true, when media which has been quarantined is requested an image will be returned. If + # no image is given in the thumbnailPath below then a generated image will be provided. This + # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with + # an image). + replaceDownloads: {{ matrix_media_repo_quarantine_replace_downloads | to_json }} + + # If provided, the given image will be returned as a thumbnail for media that is quarantined. + #thumbnailPath: "/path/to/thumbnail.png" + thumbnailPath: {{ "" if matrix_media_repo_quarantine_thumbnail_path == "" else matrix_media_repo_quarantine_thumbnail_path | to_json }} + + # If true, administrators of the configured homeservers may quarantine media for their server + # only. Global administrators can quarantine any media (local or remote) regardless of this + # flag. + allowLocalAdmins: {{ matrix_media_repo_quarantine_allow_local_admins | to_json }} + +# The various timeouts that the media repo will use. +timeouts: + # The maximum amount of time the media repo should spend trying to fetch a resource that is + # being previewed. + urlPreviewTimeoutSeconds: {{ matrix_media_repo_timeouts_url_preview_timeout_seconds | to_json }} + + # The maximum amount of time the media repo will spend making remote requests to other repos + # or homeservers. This is primarily used to download media. + federationTimeoutSeconds: {{ matrix_media_repo_timeouts_federation_timeout_seconds | to_json }} + + # The maximum amount of time the media repo will spend talking to your configured homeservers. + # This is usually used to verify a user's identity. + clientServerTimeoutSeconds: {{ matrix_media_repo_timeouts_client_server_timeout_seconds | to_json }} + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json +metrics: + # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. + enabled: {{ matrix_media_repo_metrics_enabled | to_json }} + + # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. + bindAddress: {{ matrix_media_repo_metrics_bind_address | to_json }} + + # The port to listen on. Cannot be the same as the general web server port. + port: {{ matrix_media_repo_metrics_port | to_json }} + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. + +# An example OCR plugin to block images with certain text. Note that the Docker image +# for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 +{{ matrix_media_repo_plugins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +# featureSupport: +# # MSC2248 - Blurhash +# MSC2448: +# # Whether or not this MSC is enabled for use in the media repo +# enabled: false +# +# # Maximum dimensions for converting a blurhash to an image. When no width and +# # height options are supplied, the default will be half these values. +# maxWidth: 1024 +# maxHeight: 1024 +# +# # Thumbnail size in pixels to use to generate the blurhash string +# thumbWidth: 64 +# thumbHeight: 64 +# +# # The X and Y components to use. Higher numbers blur less, lower numbers blur more. +# xComponents: 4 +# yComponents: 3 +# +# # The amount of contrast to apply when converting a blurhash to an image. Lower values +# # make the effect more subtle, larger values make it stronger. +# punch: 1 +# +# # IPFS Support +# # This is currently experimental and might not work at all. +# IPFS: +# # Whether or not IPFS support is enabled for use in the media repo. +# enabled: false +# +# # Options for the built in IPFS daemon +# builtInDaemon: +# # Enable this to spawn an in-process IPFS node to use instead of a localhost +# # HTTP agent. If this is disabled, the media repo will assume you have an HTTP +# # IPFS agent running and accessible. Defaults to using a daemon (true). +# enabled: true +# +# # If the Daemon is enabled, set this to the location where the IPFS files should +# # be stored. If you're using Docker, this should be something like "/data/ipfs" +# # so it can be mapped to a volume. +# repoPath: "./ipfs" +# +# # Support for redis as a cache mechanism +# # +# # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. +# # It can be safely disabled once Redis support is enabled. +# # +# # See docs/redis.md for more information on how this works and how to set it up. +# redis: +# # Whether or not use Redis instead of in-process caching. +# enabled: false +# +# # The Redis shards that should be used by the media repo in the ring. The names of the +# # shards are for your reference and have no bearing on the connection, but must be unique. +# shards: +# - name: "server1" +# addr: ":7000" +# - name: "server2" +# addr: ":7001" +# - name: "server3" +# addr: ":7002" +{{ matrix_media_repo_feature_support | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} + +# Optional sentry (https://sentry.io/) configuration for the media repo +sentry: + # Whether or not to set up error reporting. Defaults to off. + enabled: {{ matrix_media_repo_sentry_enabled | to_json }} + + # Get this value from the setup instructions in Sentry + dsn: {{ matrix_media_repo_sentry_dsn | to_json }} + + # Optional environment flag. Defaults to an empty string. + environment: {{ "" if matrix_media_repo_sentry_environment == "" else matrix_media_repo_sentry_environment | to_json }} + + # Whether or not to turn on sentry's built in debugging. This will increase log output. + debug: {{ matrix_media_repo_sentry_debug | to_json }} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 new file mode 100644 index 00000000..0e73cb6c --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -0,0 +1,56 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix media-repo +{% for service in matrix_media_repo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_media_repo_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_media_repo_identifier }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_media_repo_base_path }}/env \ + {% if matrix_media_repo_container_http_host_bind_port %} + -p {{ matrix_media_repo_container_http_host_bind_port }}:{{ matrix_media_repo_port }} \ + {% endif %} + {% if matrix_media_repo_metrics_enabled and matrix_media_repo_container_metrics_host_bind_port %} + -p {{ matrix_media_repo_container_metrics_host_bind_port }}:{{ matrix_media_repo_metrics_port }} \ + {% endif %} + --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_media_repo_data_path }},dst=/data \ + --workdir='/data' \ + --entrypoint='media_repo' \ + {% for arg in matrix_media_repo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_media_repo_docker_image }} + +{% for network in matrix_media_repo_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_media_repo_identifier }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_media_repo_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec {{ matrix_media_repo_identifier }} /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_media_repo_identifier }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 8ad11b37..36064480 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,8 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.25.1-alpine +# renovate: datasource=docker depName=nginx +matrix_nginx_proxy_version: 1.25.3-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -212,6 +213,10 @@ matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" matrix_nginx_proxy_proxy_cinny_enabled: false matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" +# Controls whether proxying the schildichat domain should be done. +matrix_nginx_proxy_proxy_schildichat_enabled: false +matrix_nginx_proxy_proxy_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}" + # Controls whether proxying the buscarron domain should be done. matrix_nginx_proxy_proxy_buscarron_enabled: false matrix_nginx_proxy_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" @@ -253,6 +258,10 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" matrix_nginx_proxy_proxy_sygnal_enabled: false matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" +# Controls whether proxying the mautrix wsproxy should be done. +matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: false +matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix_wsproxy }}" + # Controls whether proxying the ntfy domain should be done. matrix_nginx_proxy_proxy_ntfy_enabled: false matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" @@ -299,6 +308,7 @@ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_ # To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password. # Learn more in: `roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}" +# renovate: datasource=docker depName=httpd matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16" matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}" @@ -321,6 +331,12 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search). +# This is to assist identity servers which only handle the r0 endpoints. +# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. +# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. +matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true + # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md @@ -328,11 +344,22 @@ matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken). +# This is to assist identity servers which only handle the r0 endpoints. +# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. +# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. +matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true + # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_media_repo_enabled: false +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" @@ -412,6 +439,9 @@ matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to schildichat's server configuration (matrix-client-schildichat.conf). +matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to buscarron's server configuration (matrix-bot-buscarron.conf). matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] @@ -436,6 +466,9 @@ matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to mautrix wsproxy server configuration (matrix-mautrix-wsproxy.conf). +matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf). matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: [] @@ -689,12 +722,3 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_def # http://nginx.org/en/docs/ngx_core_module.html#worker_connections matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 - -# A mapping of JVB server ids to hostname/ipa addresses used to add additional jvb blocks -# to the Jitsi's server configuration (matrix-jitsi.conf) -# Note: avoid using the JVB server id "jvb-1" as this is reserved for the main host. -# Example: -# matrix_nginx_proxy_proxy_jitsi_additional_jvbs: -# jvb-2: 192.168.0.1 -# jvb-3: 192.168.0.2 -matrix_nginx_proxy_proxy_jitsi_additional_jvbs: {} diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 1a55e28f..338ada2f 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -115,6 +115,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_cinny_enabled | bool +- name: Ensure Matrix nginx-proxy configuration for schildichat domain exists + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-schildichat.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-schildichat.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_schildichat_enabled | bool + - name: Ensure Matrix nginx-proxy configuration for buscarron domain exists ansible.builtin.template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2" @@ -178,6 +185,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_ntfy_enabled | bool +- name: Ensure Matrix nginx-proxy configuration for mautrix wsproxy exists + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-mautrix-wsproxy.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for Matrix domain exists ansible.builtin.template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" @@ -274,6 +288,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_element_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for Schildichat domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-schildichat.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_schildichat_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" @@ -334,6 +354,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_ntfy_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for mautrix wsproxy deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-mautrix-wsproxy.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for etherpad domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-etherpad.conf" diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml index 8d63876a..6f96ec78 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml @@ -16,6 +16,7 @@ - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_jitsi_additional_jvbs', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method ansible.builtin.fail: diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 new file mode 100644 index 00000000..4919eb9e --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 @@ -0,0 +1,106 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + + {% for configuration_block in matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-client-schildichat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8765; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + + server_name {{ matrix_nginx_proxy_proxy_schildichat_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_schildichat_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 63d45bc6..d28cbf15 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -94,14 +94,110 @@ } {% endif %} + {% if matrix_nginx_proxy_proxy_media_repo_enabled %} + # Redirect all media endpoints to the media-repo + location ^~ /_matrix/media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/logout + # /_matrix/client/r0/logout/all + location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/admin/purge_media_cache + # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} + location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + location ^~ /_matrix/client/unstable/io.t2bot.media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - location ^~ /_matrix/client/r0/user_directory/search { + location ~ ^/_matrix/client/(r0|v3)/user_directory/search { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} proxy_pass http://$backend; {% else %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; {% endif %} @@ -112,13 +208,19 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} - location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { + location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} proxy_pass http://$backend; {% else %} + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; {% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 5493c2b0..f745f866 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -53,10 +53,10 @@ tcp_nodelay on; } - {% for id, ip_address in matrix_nginx_proxy_proxy_jitsi_additional_jvbs.items() %} + {% for host in groups['jitsi_jvb_servers'] | default([]) %} # colibri (JVB) websockets for additional JVBs - location ~ ^/colibri-ws/{{ id | regex_escape }}/(.*) { - proxy_pass http://{{ ip_address }}:9090/colibri-ws/{{ id }}/$1$is_args$args; + location ~ ^/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] | regex_escape }}/(.*) { + proxy_pass http://{{ host }}:9090/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/$1$is_args$args; proxy_set_header Host $host; proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 new file mode 100644 index 00000000..47e4c432 --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 @@ -0,0 +1,110 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Frame-Options SAMEORIGIN; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + + {% for configuration_block in matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "wsproxy:29331"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:29331; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + proxy_send_timeout 1d; + proxy_read_timeout 1d; + + tcp_nodelay on; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 index 7d5c8a0e..fbae47e1 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 @@ -21,7 +21,7 @@ {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-ntfy:80"; + set $backend "matrix-ntfy:8080"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml index 806c751c..5f83a6bf 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml @@ -3,6 +3,7 @@ # See: https://github.com/martin-helmich/prometheus-nginxlog-exporter/ matrix_prometheus_nginxlog_exporter_enabled: true +# renovate: datasource=docker depName=ghcr.io/martin-helmich/prometheus-nginxlog-exporter/exporter matrix_prometheus_nginxlog_exporter_version: v1.10.0 matrix_prometheus_nginxlog_exporter_container_hostname: 'matrix-prometheus-nginxlog-exporter' diff --git a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml index 748f88c5..f06d8da4 100644 --- a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml +++ b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml @@ -142,3 +142,23 @@ matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs: | 'static_configs': matrix_prometheus_services_connect_scraper_nginxlog_static_configs, }] }} + +# Controls whether media-repo shall be scraped +matrix_prometheus_services_connect_scraper_media_repo_enabled: false +matrix_prometheus_services_connect_scraper_media_repo_job_name: media-repo +matrix_prometheus_services_connect_scraper_media_repo_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_media_repo_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_media_repo_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_media_repo_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: '' +# The final scrape config for the media-repo scraper +matrix_prometheus_services_connect_scraper_media_repo_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_media_repo_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_media_repo_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_media_repo_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_media_repo_static_configs, + }] + }} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 8cc2f905..bb2e45a1 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -16,7 +16,8 @@ matrix_rageshake_path_prefix: / # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 -matrix_rageshake_version: 1.9.0 +# renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake +matrix_rageshake_version: 1.11.0 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" diff --git a/roles/custom/matrix-registration/defaults/main.yml b/roles/custom/matrix-registration/defaults/main.yml index c7a45fad..b775cb11 100644 --- a/roles/custom/matrix-registration/defaults/main.yml +++ b/roles/custom/matrix-registration/defaults/main.yml @@ -18,6 +18,7 @@ matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" +# renovate: datasource=docker depName=zeratax/matrix-registration matrix_registration_version: "v0.7.2" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index fa6e65a4..f7ebdee8 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -1,10 +1,12 @@ --- # Sliding Sync Proxy is an implementation of MSC3575 for the new sliding sync +# Project source code URL: https://github.com/matrix-org/sliding-sync matrix_sliding_sync_enabled: true -matrix_sliding_sync_version: v0.99.1 +# renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync +matrix_sliding_sync_version: v0.99.12 matrix_sliding_sync_scheme: https @@ -76,16 +78,20 @@ matrix_sliding_sync_systemd_required_services_list: ["docker.service"] matrix_sliding_sync_systemd_wanted_services_list: [] # Controls the SYNCV3_SERVER environment variable -matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_url }}" +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}" # Controls the SYNCV3_SECRET environment variable matrix_sliding_sync_environment_variable_syncv3_secret: '' # Controls the SYNCV3_DB environment variable -matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable' +matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode={{ matrix_sliding_sync_database_sslmode }}' + +# Additional environment variables. +matrix_sliding_sync_environment_variables_additional_variables: '' matrix_sliding_sync_database_username: 'matrix_sliding_sync' matrix_sliding_sync_database_password: '' matrix_sliding_sync_database_hostname: '' matrix_sliding_sync_database_port: 5432 matrix_sliding_sync_database_name: 'matrix_sliding_sync' +matrix_sliding_sync_database_sslmode: disable diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 index 1269bd2a..5d800a1b 100644 --- a/roles/custom/matrix-sliding-sync/templates/env.j2 +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -2,3 +2,5 @@ SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} SYNCV3_BINDADDR=:8008 SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} + +{{ matrix_sliding_sync_environment_variables_additional_variables }} diff --git a/roles/custom/matrix-sygnal/defaults/main.yml b/roles/custom/matrix-sygnal/defaults/main.yml index f3c1df4e..7c7d8261 100644 --- a/roles/custom/matrix-sygnal/defaults/main.yml +++ b/roles/custom/matrix-sygnal/defaults/main.yml @@ -12,7 +12,8 @@ matrix_sygnal_hostname: '' # This value must either be `/` or not end with a slash (e.g. `/sygnal`). matrix_sygnal_path_prefix: / -matrix_sygnal_version: v0.12.0 +# renovate: datasource=docker depName=matrixdotorg/sygnal +matrix_sygnal_version: v0.13.0 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index ae912f71..dd1bd817 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -14,6 +14,7 @@ matrix_synapse_admin_nginx_proxy_integration_enabled: false matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +# renovate: datasource=docker depName=awesometechnologies/synapse-admin matrix_synapse_admin_version: 0.8.7 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 7b5ea54d..9b5bf093 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -5,6 +5,7 @@ matrix_synapse_auto_compressor_enabled: true +# renovate: datasource=docker depName=registry.gitlab.com/etke.cc/rust-synapse-compress-state matrix_synapse_auto_compressor_version: v0.1.3 matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 048ded6b..5cd68f2a 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -25,7 +25,8 @@ matrix_synapse_reverse_proxy_companion_enabled: true -matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine +# renovate: datasource=docker depName=nginx +matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 768c7159..8c0f444b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,8 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.87.0 +# renovate: datasource=docker depName=matrixdotorg/synapse +matrix_synapse_version: v1.97.0 matrix_synapse_username: '' matrix_synapse_uid: '' @@ -311,8 +312,13 @@ matrix_synapse_presence_enabled: true matrix_synapse_allow_public_rooms_without_auth: false # Controls whether remote servers can fetch this server's public rooms directory via federation. -# For private servers, you most likely wish to forbid it. -matrix_synapse_allow_public_rooms_over_federation: false +# The upstream default is `false`, but we try to make Matrix federation more useful. +# +# For private servers, you may wish to forbid it to align yourself with upstream defaults. +# However, disabling federation completely (see `matrix_synapse_federation_enabled`) is a better way to make your server private, +# instead of relying on security-by-obscurity -- federating with others, having your public rooms joinable by anyone, +# but hiding them and thinking you've secured them. +matrix_synapse_allow_public_rooms_over_federation: true # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -425,6 +431,11 @@ matrix_synapse_federation_port_openid_resource_required: false # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. matrix_synapse_federation_domain_whitelist: ~ +# Enable/disable OpenID Connect +matrix_synapse_oidc_enabled: false +# List of OpenID Connect providers, ref: https://matrix-org.github.io/synapse/latest/openid.html#sample-configs +matrix_synapse_oidc_providers: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} @@ -438,7 +449,24 @@ matrix_synapse_container_additional_volumes: [] # A list of additional loggers to register in synapse.log.config. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"name": "..", "level": "DEBUG"} -matrix_synapse_additional_loggers: [] +matrix_synapse_additional_loggers: "{{ matrix_synapse_additional_loggers_auto + matrix_synapse_additional_loggers_custom }}" + +matrix_synapse_additional_loggers_auto: + # By default, we're disabling some useless (and even toxic) spammy WARNING-level logs. + # Related to: + # - https://github.com/matrix-org/synapse/issues/16208 + # - https://github.com/matrix-org/synapse/issues/16101 + # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2853 + - name: synapse.http.matrixfederationclient + level: CRITICAL + - name: synapse.federation.sender.per_destination_queue + level: CRITICAL + - name: synapse.handlers.device + level: CRITICAL + - name: synapse.replication.tcp.handler + level: CRITICAL + +matrix_synapse_additional_loggers_custom: [] # A list of appservice config files (in-container filesystem paths). # This list gets populated dynamically based on Synapse extensions that have been enabled. @@ -633,14 +661,14 @@ matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_sender_instances: [] -matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" +matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] if not matrix_synapse_ext_media_repo_enabled else 0 }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 # matrix_synapse_enable_media_repo controls if the main Synapse process should serve media repository endpoints or if it should be left to media_repository workers (see `matrix_synapse_workers_media_repository_workers_count`). # This is enabled if workers are disabled, or if they are enabled, but there are no media repository workers. # Adjusting this value manually is generally not necessary. -matrix_synapse_enable_media_repo: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0) }}" +matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}" # matrix_synapse_media_instance_running_background_jobs populates the `media_instance_running_background_jobs` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `media_instance_running_background_jobs` is meant to point to a single media-repository worker, which is dedicated to running background tasks that maintain the media repository. @@ -825,7 +853,7 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeserve # See: https://github.com/matrix-org/mjolnir#synapse-module matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" -matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "4008e3f65d3745b9307dd31f1c5aa80c13a61a58" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.6.4" matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true # Flag messages sent by servers/users in the ban lists as spam. Currently # this means that spammy messages will appear as empty to users. Default @@ -840,7 +868,16 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false # these rooms. # ["!roomid:example.org"] matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] - +# A dictionary with various fields controlling max length. +# See https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md for details. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_message_max_length: {} +# Actual configuration passed to the mjolnir-antispam Synapse module +matrix_synapse_ext_spam_checker_mjolnir_antispam_config: + block_invites: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}" + block_messages: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}" + block_usernames: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}" + ban_lists: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }}" + message_max_length: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_message_max_length }}" # Enable this to activate the E2EE disabling Synapse module. # See: https://github.com/digitalentity/matrix_encryption_disabler @@ -870,7 +907,7 @@ matrix_synapse_ext_encryption_config_yaml: | # Installing it requires building a customized Docker image for Synapse (see `matrix_synapse_container_image_customizations_enabled`). # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider. matrix_synapse_ext_synapse_s3_storage_provider_enabled: false -matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.0 +matrix_synapse_ext_synapse_s3_storage_provider_version: 1.3.0 # Controls whether media from this (local) server is stored in s3-storage-provider matrix_synapse_ext_synapse_s3_storage_provider_store_local: true # Controls whether media from remote servers is stored in s3-storage-provider @@ -901,6 +938,10 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 # This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' +# Specifies whether an external media repository is enabled. +# If it is, the Synapse media repo and media-repo workers will be disabled automatically. +matrix_synapse_ext_media_repo_enabled: false + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest" @@ -939,12 +980,6 @@ matrix_synapse_default_room_version: "10" # The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. matrix_synapse_forget_rooms_on_leave: true -# Controls the Synapse `spam_checker` setting. -# -# If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. -# If not, you can also control its value manually. -matrix_synapse_spam_checker: [] - # Controls the Synapse `modules` list. # You can define your own list of modules here. See the `modules` syntax in `homeserver.yaml.j2` # Certain Synapse extensions that you can enable below auto-inject themselves into `matrix_synapse_modules` at runtime. @@ -981,12 +1016,17 @@ matrix_synapse_trusted_key_servers: matrix_synapse_redaction_retention_period: 7d +# Controls how long to keep locally forgotten rooms before purging them from the DB. +# Defaults to `null`, meaning it's disabled. +# Example value: 28d +matrix_synapse_forgotten_room_retention_period: ~ + matrix_synapse_user_ips_max_age: 28d -matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix }}mb-saces/rust-synapse-compress-state:latest" +matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix }}mb-saces/rust-synapse-tools:v0.0.1" matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix: "registry.gitlab.com/" -matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" +matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':stable') or matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state" matrix_synapse_rust_synapse_compress_state_synapse_compress_state_in_container_path: "/usr/local/bin/synapse_compress_state" diff --git a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml index 3725545f..b8046033 100644 --- a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml @@ -33,9 +33,9 @@ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py,dst={{ matrix_synapse_in_container_python_packages_path }}/matrix_e2ee_filter.py,ro"] }} - matrix_synapse_additional_loggers: > + matrix_synapse_additional_loggers_auto: > {{ - matrix_synapse_additional_loggers + matrix_synapse_additional_loggers_auto + [{'name': 'matrix_e2ee_filter', 'level': 'INFO'}] }} diff --git a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml index c13a0404..6d484377 100644 --- a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml @@ -3,9 +3,9 @@ - ansible.builtin.set_fact: matrix_synapse_password_providers_enabled: true - matrix_synapse_additional_loggers: > + matrix_synapse_additional_loggers_auto: > {{ - matrix_synapse_additional_loggers + matrix_synapse_additional_loggers_auto + [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} diff --git a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml index f3218808..0fc2a750 100644 --- a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -14,18 +14,13 @@ become_user: "{{ matrix_synapse_username }}" - ansible.builtin.set_fact: - matrix_synapse_spam_checker: > + matrix_synapse_modules: > {{ - matrix_synapse_spam_checker + matrix_synapse_modules | default([]) + [{ - "module": "mjolnir.AntiSpam", - "config": { - "block_invites": matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites, - "block_messages": matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages, - "block_usernames": matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames, - "ban_lists": matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists, - } + "module": "mjolnir.Module", + "config": matrix_synapse_ext_spam_checker_mjolnir_antispam_config, }] }} diff --git a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index ad58830a..4c59a4b1 100644 --- a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -28,9 +28,9 @@ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/rest_auth_provider.py,dst={{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py,ro"] }} - matrix_synapse_additional_loggers: > + matrix_synapse_additional_loggers_auto: > {{ - matrix_synapse_additional_loggers + matrix_synapse_additional_loggers_auto + [{'name': 'rest_auth_provider', 'level': 'INFO'}] }} diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index 0d887939..4adb6566 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -4,6 +4,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" @@ -12,6 +14,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" @@ -20,6 +24,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" @@ -28,6 +34,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_ldap_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" @@ -36,6 +44,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" @@ -44,6 +54,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" @@ -52,6 +64,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index c974bd2c..ecec3e80 100644 --- a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -43,9 +43,9 @@ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/shared_secret_authenticator.py,dst={{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py,ro"] }} - matrix_synapse_additional_loggers: > + matrix_synapse_additional_loggers_auto: > {{ - matrix_synapse_additional_loggers + matrix_synapse_additional_loggers_auto + [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }} diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 743dab5f..2a8a0094 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -36,8 +36,8 @@ - setup-all - setup-synapse block: - - when: not matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + # This always runs because it handles uninstallation for sub-components too. + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - import-synapse-media-store diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 378a0dee..a2185da5 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -26,6 +26,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" @@ -34,6 +36,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" @@ -41,12 +45,16 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml index 7ce5e13d..66cda3e7 100644 --- a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -4,7 +4,8 @@ - setup-all - setup-synapse block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" + - when: not matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: - setup-all @@ -17,7 +18,8 @@ - setup-all - setup-synapse block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" + - when: not matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" - tags: - setup-all diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 169be60b..7bdf5ddc 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -72,12 +72,13 @@ owner: "{{ matrix_synapse_uid }}" group: "{{ matrix_synapse_gid }}" mode: 0640 + register: matrix_synapse_container_image_customizations_dockerfile_result - name: Ensure customized Docker image for Synapse is built community.docker.docker_image: name: "{{ matrix_synapse_docker_image_customized }}" source: build - force_source: "{{ matrix_synapse_docker_image_customized_force_source }}" + force_source: "{{ matrix_synapse_container_image_customizations_dockerfile_result.changed or matrix_synapse_docker_image_customized_force_source }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_customized_docker_src_files_path }}" diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 607c75b8..64397a49 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -66,7 +66,7 @@ - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'} - {'old': 'matrix_synapse_send_federation', 'new': ''} - {'old': 'matrix_synapse_start_pushers', 'new': ''} - + - {'old': 'matrix_synapse_spam_checker', 'new': ''} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8e3fa2b6..65298fc2 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -509,7 +509,12 @@ limit_remote_rooms: # #redaction_retention_period: 28d -redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} +redaction_retention_period: {{ matrix_synapse_redaction_retention_period | to_json }} + +# How long to keep locally forgotten rooms before purging them from the DB. +# +#forgotten_room_retention_period: 28d +forgotten_room_retention_period: {{ matrix_synapse_forgotten_room_retention_period | to_json }} # How long to track users' last seen time and IPs in the database. # @@ -517,7 +522,7 @@ redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} # #user_ips_max_age: 14d -user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} +user_ips_max_age: {{ matrix_synapse_user_ips_max_age | to_json }} # Inhibits the /requestToken endpoints from returning an error that might leak # information about whether an e-mail address is in use or not on this @@ -2085,9 +2090,9 @@ saml2_config: # use 'oidc' for the idp_id to ensure that existing users continue to be # recognised.) # -oidc_providers: +{% if matrix_synapse_oidc_enabled and matrix_synapse_oidc_providers | length > 0 %} # Generic example - # + #matrix_synapse_oidc_providers: #- idp_id: my_idp # idp_name: "My OpenID provider" # idp_icon: "mxc://example.com/mediaid" @@ -2111,6 +2116,8 @@ oidc_providers: # attribute_requirements: # - attribute: userGroup # value: "synapseUsers" +oidc_providers: {{ matrix_synapse_oidc_providers }} +{% endif %} # Enable Central Authentication Service (CAS) for registration and login. @@ -2351,7 +2358,7 @@ email: # must present a certificate that is valid for 'smtp_host'. If this option # is set to false, TLS will not be used. # - #enable_tls: false + enable_tls: {{ matrix_synapse_email_smtp_enable_tls|to_json }} # notif_from defines the "From" address to use when sending emails. # It must be set if email sending is enabled. @@ -2570,20 +2577,6 @@ push: #group_unread_count_by_room: false -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -# spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] -spam_checker: {{ matrix_synapse_spam_checker|to_json }} - - ## Rooms ## # Controls whether locally-created rooms should be end-to-end encrypted by diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 4a6a01b7..2441e4a8 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -3,6 +3,7 @@ Description=Synapse worker ({{ matrix_synapse_worker_container_name }}) AssertPathExists={{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }} After=matrix-synapse.service +Requires=matrix-synapse.service [Service] Type=simple diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 index f0e6fe90..18b96a55 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -5,11 +5,6 @@ worker_name: {{ matrix_synapse_worker_details.name }} worker_daemonize: false worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config -{% if matrix_synapse_replication_listener_enabled %} -worker_replication_host: matrix-synapse -worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% endif %} - {% set http_resources = [] %} {% if matrix_synapse_worker_details.type == 'user_dir' %} diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 9ac7afeb..47cbc2a0 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -5,6 +5,9 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path | basename }}" +# Optionally: `false` to fully disable tls on outbound smtp +matrix_synapse_email_smtp_enable_tls: true + # A Synapse generic worker can handle both federation and client-server API endpoints. # We wish to split these, as we normally serve federation separately and don't want them mixed up. # @@ -167,6 +170,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) - ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ - ^/_matrix/client/(r0|v3|unstable)/capabilities$ + - ^/_matrix/client/(r0|v3|unstable)/notifications$ # Encryption requests # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index ff93a463..2d9cc1c3 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -5,6 +5,7 @@ # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, # which would make importing a database dump problematic. - ensure-matrix-users-created + - ensure-users-created block: - when: matrix_user_creator_users | length > 0 ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 5b3611b8..46ae72db 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -5,19 +5,33 @@ matrix_user_verification_service_ansible_name: "Matrix User Verification Service # Enable by default. This is overwritten in provided group vars. matrix_user_verification_service_enabled: true +matrix_user_verification_service_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service" +matrix_user_verification_service_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_user_verification_service_version }}" + # Fix version tag -matrix_user_verification_service_version: "v2.0.0" +# renovate: datasource=docker depName=matrixdotorg/matrix-user-verification-service +matrix_user_verification_service_version: "v3.0.0" # Paths matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" +matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src" # Docker matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}" matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_user_verification_service_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_user_verification_service_container_additional_networks: [] + matrix_user_verification_service_container_name: "matrix-user-verification-service" # This will be set in group vars matrix_user_verification_service_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 185b4b64..700614cb 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -9,6 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_user_verification_service_config_path }}", when: true} + - {path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}"} when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled @@ -21,6 +22,30 @@ retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed + when: "not matrix_user_verification_service_container_image_self_build | bool" + +- name: Ensure Matrix User Verification Service repository is present when self-building + ansible.builtin.git: + repo: "{{ matrix_user_verification_service_container_image_self_build_repo }}" + dest: "{{ matrix_user_verification_service_docker_src_files_path }}" + version: "{{ matrix_user_verification_service_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_user_verification_service_git_pull_results + when: "matrix_user_verification_service_container_image_self_build | bool" + +- name: Ensure Matrix User Verification Service image is built + community.docker.docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + source: build + force_source: "{{ matrix_user_verification_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_user_verification_service_docker_src_files_path }}" + pull: true + when: "matrix_user_verification_service_container_image_self_build | bool" - name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: @@ -30,6 +55,11 @@ group: "{{ matrix_user_groupname }}" mode: 0644 +- name: Ensure matrix-user-verification-service container network is created + community.general.docker_network: + name: "{{ matrix_user_verification_service_container_network }}" + driver: bridge + - name: Ensure matrix-user-verification-service.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 index eb24b128..268e4298 100644 --- a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -17,12 +17,15 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_user_verification_service_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --tmpfs /.npm \ + --network={{ matrix_user_verification_service_container_network }} \ {% if matrix_user_verification_service_container_http_host_bind_port %} -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ {% endif %} @@ -32,6 +35,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_user_verification_service_docker_image }} +{% for network in matrix_user_verification_service_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }} +{% endfor %} +ExecStart=/usr/bin/env docker start --attach matrix-user-verification-service + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' Restart=always diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index c61e7120..1ca6c011 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -26,3 +26,19 @@ matrix_playbook_migration_matrix_aux_migration_validation_enabled: true # Controls if (`matrix_jitsi` -> `jitsi`) validation will run. matrix_playbook_migration_matrix_jitsi_migration_validation_enabled: true + +# Controls if the old apt repository (likely without a `signed-by` option) on Debian-based systems will be removed. +# +# Older versions of the Docker role (5.x, 6.x) used to install a repository at a path like: `/etc/apt/sources.list.d/download_docker_com_linux_*` +# For 6.x, the repository included a `signed-by` option, but for earlier versions it did not. +# +# New versions of the Docker role (7.0+) install a new apt repository with `signed-by` option to a different path (`/etc/apt/sources.list.d/docker.list`), +# but if a non-signed-by repository exists at the old path, a conflict will arise. +# +# Our workaround is to just delete the old repository file. Later, when the Docker role runs, it will install a new one at the new path. +# +# See: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2999 +# - https://github.com/geerlingguy/ansible-role-docker/pull/410 +matrix_playbook_migration_debian_signedby_migration_enabled: true +matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_distribution | lower }}.list" diff --git a/roles/custom/matrix_playbook_migration/tasks/debian_docker_signedby_migration.yml b/roles/custom/matrix_playbook_migration/tasks/debian_docker_signedby_migration.yml new file mode 100644 index 00000000..ac1c5cd1 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/debian_docker_signedby_migration.yml @@ -0,0 +1,6 @@ +--- + +- name: Remove old Docker apt repository, potentially lacking signed-by option + ansible.builtin.file: + path: "{{ matrix_playbook_migration_debian_signedby_migration_repository_path }}" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 4dbd3554..d6b24c39 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -6,6 +6,15 @@ block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" +- when: ansible_os_family == 'Debian' and matrix_playbook_migration_debian_signedby_migration_enabled | bool + tags: + - setup-all + - install-all + - setup-docker + - install-docker + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/debian_docker_signedby_migration.yml" + - tags: - setup-all - install-all diff --git a/setup.yml b/setup.yml index 266f3b9e..5a4ecd38 100644 --- a/setup.yml +++ b/setup.yml @@ -5,16 +5,17 @@ roles: # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - - role: galaxy/com.devture.ansible.role.playbook_help + - role: galaxy/playbook_help - - role: galaxy/com.devture.ansible.role.systemd_docker_base + - role: galaxy/systemd_docker_base - role: custom/matrix_playbook_migration - when: matrix_playbook_docker_installation_enabled | bool - role: galaxy/geerlingguy.docker + role: galaxy/docker vars: docker_install_compose: false + docker_install_compose_plugin: false tags: - setup-docker - setup-all @@ -22,7 +23,7 @@ - install-all - when: devture_docker_sdk_for_python_installation_enabled | bool - role: galaxy/com.devture.ansible.role.docker_sdk_for_python + role: galaxy/docker_sdk_for_python tags: - setup-docker - setup-all @@ -30,7 +31,7 @@ - install-all - when: devture_timesync_installation_enabled | bool - role: galaxy/com.devture.ansible.role.timesync + role: galaxy/timesync tags: - setup-timesync - setup-all @@ -41,7 +42,7 @@ - custom/matrix-dynamic-dns - custom/matrix-mailer - - role: galaxy/com.devture.ansible.role.postgres + - role: galaxy/postgres - galaxy/redis - custom/matrix-corporal @@ -59,7 +60,9 @@ - custom/matrix-bridge-mautrix-instagram - custom/matrix-bridge-mautrix-signal - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-gmessages - custom/matrix-bridge-mautrix-whatsapp + - custom/matrix-bridge-mautrix-wsproxy - custom/matrix-bridge-mautrix-discord - custom/matrix-bridge-mautrix-slack - custom/matrix-bridge-mx-puppet-discord @@ -100,6 +103,7 @@ - custom/matrix-client-element - custom/matrix-client-hydrogen - custom/matrix-client-cinny + - custom/matrix-client-schildichat - galaxy/jitsi - custom/matrix-user-verification-service - custom/matrix-ldap-registration-proxy @@ -113,31 +117,32 @@ - galaxy/ntfy - custom/matrix-nginx-proxy - custom/matrix-coturn + - custom/matrix-media-repo - role: galaxy/auxiliary - - role: galaxy/com.devture.ansible.role.postgres_backup + - role: galaxy/postgres_backup - role: galaxy/backup_borg - custom/matrix-user-creator - custom/matrix-common-after - - role: galaxy/com.devture.ansible.role.container_socket_proxy + - role: galaxy/container_socket_proxy - - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/traefik - - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - role: galaxy/traefik_certs_dumper - when: devture_systemd_service_manager_enabled | bool - role: galaxy/com.devture.ansible.role.systemd_service_manager + role: galaxy/systemd_service_manager # This is pretty much last, because we want it to better serve as a "last known good configuration". # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - when: devture_playbook_state_preserver_enabled | bool - role: galaxy/com.devture.ansible.role.playbook_state_preserver + role: galaxy/playbook_state_preserver tags: - setup-all - install-all - - role: galaxy/com.devture.ansible.role.playbook_runtime_messages + - role: galaxy/playbook_runtime_messages