From 993121e517ad74548d20ef4d0de1db41930acb22 Mon Sep 17 00:00:00 2001 From: Jim Myhrberg Date: Sat, 1 Jan 2022 03:08:00 +0000 Subject: [PATCH 01/71] feat(etherpad): add optional admin web-UI access Enables optional access to Etherpad's web-UI. This is useful for managing Etherpad plugins. Among other things, plugins makes it easy to manage/delete pads if you install the adminpads2 plugin. --- docs/configuring-playbook-etherpad.md | 17 +++++++++++++++++ roles/matrix-etherpad/defaults/main.yml | 5 +++++ .../matrix-etherpad/templates/settings.json.j2 | 8 ++++++++ 3 files changed, 30 insertions(+) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index e5533e71..4c38bb3c 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -25,6 +25,23 @@ The Dimension administrator users can configure the default URL template. The Di If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` +### Etherpad Admin access (optional) + +Etherpad comes with a admin web-UI which is disabled by default. You can enable it by setting a username and password in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_etherpad_admin_username: admin +matrix_etherpad_admin_password: some-password +``` + +The admin web-UI should then be available on: `https://dimension./etherpad/admin` + +### Managing / Deleting old pads + +If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. + +Then from the plugin manager page (`https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. + ## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index f04d8589..bcabc3dd 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -41,6 +41,11 @@ matrix_etherpad_database_hostname: 'matrix-postgres' matrix_etherpad_database_port: 5432 matrix_etherpad_database_name: 'matrix_etherpad' +# If a admin username and password is set, the /admin web page will be +# available. +matrix_etherpad_admin_username: '' +matrix_etherpad_admin_password: '' + matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' # Variables configuring the etherpad diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 573b445d..01127a91 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -71,6 +71,14 @@ "chatAndUsers": false, "lang": "en-gb" }, +{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} + "users": { + "{{ matrix_etherpad_admin_username }}": { + "password": "{{ matrix_etherpad_admin_password }}", + "is_admin": true + } + }, +{% endif %} "padShortcutEnabled" : { "altF9": true, "altC": true, From bc5efa0dbccf1202b936145b9f50947b9802e759 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sun, 2 Jan 2022 10:54:51 +0100 Subject: [PATCH 02/71] Remove Jitsi web interface_config.js in favour of custom-interface_config.js As of docker-jitsi-meet stable-6433 [1], `/config/interface_config.js` is regenerated on every boot. The correct way to modify the interface config is now via `/config/custom-interface_config.js`, which is appended to a default copy of `interface_config.js` by `/etc/cont-init.d/10-config` on every boot of the docker image. Given that `interface_config.js` is considered deprecated by upstream (all options will eventually be moved to `config.js`), we also deprecate the `matrix_jitsi_web_interface_config_*` variables in favour of `matrix_jitsi_web_custom_interface_config_extension`. [1] https://github.com/jitsi/docker-jitsi-meet/blob/stable-6433/CHANGELOG.md#stable-6433 --- roles/matrix-jitsi/defaults/main.yml | 27 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-jitsi/tasks/validate_config.yml | 13 + .../web/custom-interface_config.js.j2 | 3 + .../templates/web/interface_config.js.j2 | 295 ------------------ 5 files changed, 21 insertions(+), 319 deletions(-) create mode 100644 roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 delete mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 3f61f4ff..33dad388 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -108,37 +108,18 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] -# Some variables controlling the interface of Jitsi Web. -# These get applied to `templates/web/interface_config.js.j2`. -# -# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` -# to define any other configuration option. -matrix_jitsi_web_interface_config_lang_detection: false -matrix_jitsi_web_interface_config_show_jitsi_watermark: true -matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" -matrix_jitsi_web_interface_config_show_brand_watermark: false -matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true -matrix_jitsi_web_interface_config_display_welcome_page_content: true -matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_show_powered_by: false -matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jitsi_web_interface_config_show_deep_linking_image: false - -# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. -# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. # # Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. # # For interface configuration, the flow is like this: -# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - a default `interface_config.js` is generated from within the docker image # - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. # # Example: # matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.LANG_DETECTION = false; +# interfaceConfig.SHOW_JITSI_WATERMARK = false; # interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; matrix_jitsi_web_custom_interface_config_extension: '' diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index d734be08..bcb1b49e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -40,7 +40,7 @@ mode: 0644 with_items: - custom-config.js - - interface_config.js + - custom-interface_config.js when: matrix_jitsi_enabled|bool - name: Ensure matrix-jitsi-web.service installed diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index a9d86764..4defe986 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -54,3 +54,16 @@ - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} + - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': ' Date: Mon, 3 Jan 2022 00:59:52 +0000 Subject: [PATCH 03/71] Update links to Mautrix Twitter bridge Signed-off-by: Aaron Raimist --- docs/configuring-playbook-bridge-mautrix-twitter.md | 10 ++++------ docs/container-images.md | 2 +- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 4 ++-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md index 93eb8901..3d5b49cf 100644 --- a/docs/configuring-playbook-bridge-mautrix-twitter.md +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -2,9 +2,9 @@ **Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. -The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. +The playbook can install and configure [mautrix-twitter](https://github.com/mautrix/twitter) for you. -See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/mautrix/twitter) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_twitter_enabled: true @@ -13,7 +13,7 @@ matrix_mautrix_twitter_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -23,7 +23,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac ### Method 2: manually, by asking each user to provide a working access token -This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/mautrix/twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` ## Usage @@ -32,6 +32,4 @@ This method is currently not available for the Mautrix-Twitter bridge, but is on You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). -If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. - After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/container-images.md b/docs/container-images.md index 18436c91..d52f3fdd 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,7 +46,7 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) -- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional) +- [mautrix/twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/mautrix/twitter) bridge to [Twitter](https://twitter.com/) (optional) - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 2d6b4b20..826bc4b6 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -1,10 +1,10 @@ # mautrix-twitter is a Matrix <-> Twitter bridge -# See: https://github.com/tulir/mautrix-twitter +# See: https://github.com/mautrix/twitter matrix_mautrix_twitter_enabled: true matrix_mautrix_twitter_container_image_self_build: false -matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git" +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_version: latest # See: https://mau.dev/tulir/mautrix-twitter/container_registry From c0f7c39f7dee36f536389faa707856d260185462 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Mon, 3 Jan 2022 18:29:13 +0100 Subject: [PATCH 04/71] s/plabook/playbook --- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-etherpad/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 0584e624..f6aada6d 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -44,7 +44,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index a42e14c9..7f49e8b6 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -37,7 +37,7 @@ msg: >- Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml index c12fcd3c..5c8d82bf 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 6cc194fe..59756ec9 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 84ac86d0..bf903a57 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index f484c687..74ec0350 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 06cf83fa..2054d23c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 5b8f5ef6..c94e0817 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -8,7 +8,7 @@ msg: >- Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-etherpad role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 5ab93910..47220103 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-registration role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index e1912871..fccc9dfa 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. when: matrix_nginx_proxy_role_executed|default(False)|bool From f0d7a8e99d0210ab62aa3dd1f387fff70bacab74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 09:18:31 +0200 Subject: [PATCH 05/71] Use to_json --- roles/matrix-etherpad/templates/settings.json.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 01127a91..0a240f3e 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -73,8 +73,8 @@ }, {% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} "users": { - "{{ matrix_etherpad_admin_username }}": { - "password": "{{ matrix_etherpad_admin_password }}", + {{ matrix_etherpad_admin_username|to_json }}: { + "password": {{ matrix_etherpad_admin_password|to_json }}, "is_admin": true } }, From 8515ac55e63a77cda8fcbf841541c5fb7d7a2381 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:04:01 +0200 Subject: [PATCH 06/71] Upgrade nginx (1.21.4 -> 1.21.5) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7eeb39ff..27b0b42d 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.4-alpine +matrix_nginx_proxy_version: 1.21.5-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From b1b4ba501fdfaa434dac8a981cec9ac0311ca4ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:21:02 +0200 Subject: [PATCH 07/71] Replace ExecStop with ExecStopPost ExecStopPost should allow us to clean up (docker kill + docker rm) even if the ExecStart (docker run ..) command failed, and not just after a graceful service stop was initiated. Source: https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStopPost= --- .../templates/systemd/matrix-bot-go-neb.service.j2 | 4 ++-- .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 4 ++-- .../templates/systemd/matrix-bot-mjolnir.service.j2 | 4 ++-- .../systemd/matrix-appservice-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-irc.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-slack.service.j2 | 4 ++-- .../systemd/matrix-appservice-webhooks.service.j2 | 4 ++-- .../templates/systemd/matrix-beeper-linkedin.service.j2 | 4 ++-- .../templates/systemd/matrix-heisenbridge.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 4 ++-- .../systemd/matrix-mautrix-googlechat.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-instagram.service.j2 | 4 ++-- .../systemd/matrix-mautrix-signal-daemon.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-signal.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-groupme.service.j2 | 4 ++-- .../systemd/matrix-mx-puppet-instagram.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-sms-bridge.service.j2 | 4 ++-- .../templates/systemd/matrix-client-element.service.j2 | 4 ++-- .../templates/systemd/matrix-client-hydrogen.service.j2 | 4 ++-- .../templates/systemd/matrix-corporal.service.j2 | 4 ++-- .../templates/systemd/matrix-coturn.service.j2 | 4 ++-- .../templates/systemd/matrix-dimension.service.j2 | 4 ++-- .../templates/systemd/matrix-dynamic-dns.service.j2 | 4 ++-- .../templates/systemd/matrix-email2matrix.service.j2 | 4 ++-- .../templates/systemd/matrix-etherpad.service.j2 | 6 +++--- .../templates/systemd/matrix-grafana.service.j2 | 4 ++-- .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 4 ++-- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 4 ++-- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- .../templates/web/matrix-jitsi-web.service.j2 | 4 ++-- .../templates/systemd/matrix-ma1sd.service.j2 | 4 ++-- .../templates/systemd/matrix-mailer.service.j2 | 4 ++-- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres-backup.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- .../systemd/matrix-prometheus-node-exporter.service.j2 | 4 ++-- .../matrix-prometheus-postgres-exporter.service.j2 | 6 +++--- .../templates/systemd/matrix-prometheus.service.j2 | 4 ++-- .../templates/systemd/matrix-redis.service.j2 | 4 ++-- .../templates/systemd/matrix-registration.service.j2 | 4 ++-- .../templates/systemd/matrix-sygnal.service.j2 | 4 ++-- .../templates/systemd/matrix-synapse-admin.service.j2 | 4 ++-- .../templates/goofys/systemd/matrix-goofys.service.j2 | 8 ++++---- .../synapse/systemd/matrix-synapse-worker.service.j2 | 4 ++-- .../templates/synapse/systemd/matrix-synapse.service.j2 | 4 ++-- 54 files changed, 112 insertions(+), 112 deletions(-) diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index eabf1137..056447eb 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -39,8 +39,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ {{ matrix_bot_go_neb_docker_image }} \ -c "go-neb /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index b1fe3c32..14b5fa45 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem {{ matrix_bot_matrix_reminder_bot_docker_image }} \ -c "matrix-reminder-bot /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 0b018f25..b2298312 100644 --- a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ {% endfor %} {{ matrix_bot_mjolnir_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-mjolnir diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 84dee801..8f61bd9f 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 8650bd8d..2c26c782 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 21ba27ef..9bf73711 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-sla {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index f27111b3..a227387a 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-web {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 index 4498b4f0..84e4a9c2 100644 --- a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 +++ b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-beeper-linkedi {{ matrix_beeper_linkedin_docker_image }} \ python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-beeper-linkedin diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index e27b88f1..6a0750bf 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -41,8 +41,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --listen-port 9898 \ {{ matrix_heisenbridge_homeserver_url }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-heisenbridge Restart=always RestartSec=30 SyslogIdentifier=matrix-heisenbridge diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index f3af4b9f..07ee8fb7 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 index c56473be..5a6ab799 100644 --- a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-google {{ matrix_mautrix_googlechat_docker_image }} \ python3 -m mautrix_googlechat -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 60f0e055..66f34d94 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 index 33a5bab3..0157accc 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-instag {{ matrix_mautrix_instagram_docker_image }} \ python3 -m mautrix_instagram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-instagram diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 6f128da3..314bba6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -30,8 +30,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e3e02424..244e2a48 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -37,8 +37,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ matrix_mautrix_signal_docker_image }} \ python3 -m mautrix_signal -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index ae1ac675..69ab167a 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 index 73bdbc86..55509b85 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitte {{ matrix_mautrix_twitter_docker_image }} \ python3 -m mautrix_twitter -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 4a492492..77daa825 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsa {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 6ffb87cd..58b01e20 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-disc {% endfor %} {{ matrix_mx_puppet_discord_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 index dabafd18..7e008aeb 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-grou {% endfor %} {{ matrix_mx_puppet_groupme_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-groupme diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 965bb41c..b2921a4f 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-inst {% endfor %} {{ matrix_mx_puppet_instagram_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index 9a7986e4..4c604bb7 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skyp {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 973771b3..f130c095 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slac {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 0772872b..c736b7ca 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-stea {% endfor %} {{ matrix_mx_puppet_steam_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 7e1b1c32..efa3e4e3 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twit {% endfor %} {{ matrix_mx_puppet_twitter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 46c3463f..404b5aab 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -35,8 +35,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endfor %} {{ matrix_sms_bridge_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-sms-bridge -ExecStop=-/usr/bin/docker rm matrix-sms-bridge +ExecStopPost=-/usr/bin/docker kill matrix-sms-bridge +ExecStopPost=-/usr/bin/docker rm matrix-sms-bridge Restart=always RestartSec=30 SyslogIdentifier=matrix-sms-bridge diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index fe2a3a86..d4ad2b9e 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element {% endfor %} {{ matrix_client_element_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index c85aeb97..7a72e876 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endfor %} {{ matrix_client_hydrogen_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 262e2e77..9c42f2b1 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index a39030af..778f8185 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index e27a5558..0451231b 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index dfdd2f72..31e106f0 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -26,8 +26,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ {% endfor %} {{ matrix_dynamic_dns_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dynamic-dns diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index c9226768..b620a13f 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index b579036b..e55c57c7 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -32,10 +32,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ node --experimental-worker src/node/server.js \ --settings /data/settings.json --credentials /data/credentials.json \ --sessionkey /data/sessionkey.json --apikey /data/apijey.json - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad + +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-etherpad Restart=always RestartSec=30 SyslogIdentifier=matrix-etherpad diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index a4f81e35..64d40a5c 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ {% endfor %} {{ matrix_grafana_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-grafana diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 6ecafaa0..b4944c84 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -23,8 +23,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2785795d..5be32210 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 5a4a81e5..452ff954 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -28,8 +28,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 35bfca67..ff577670 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 8e5cc6dd..c3d5850f 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index bf5a2e42..ee316469 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -27,8 +27,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index c4000fa9..744b3924 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,8 +47,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 index 97c9ae7f..52e12edb 100644 --- a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backu --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ {{ matrix_postgres_backup_docker_image_to_use }} -ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres-backup diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index d62a689a..5ef3646d 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ matrix_postgres_docker_image_to_use }} \ postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 210a0d97..0139b916 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {{ matrix_prometheus_node_exporter_docker_image }} \ --path.rootfs=/host -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-node-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 index b25cb5de..4c9a4eda 100644 --- a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -30,10 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-pos -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ {% endif %} --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} + {{ matrix_prometheus_postgres_exporter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index ad75d664..2070ece3 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ {% endfor %} {{ matrix_prometheus_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 5f6699f8..9f9d2902 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {{ matrix_redis_docker_image_to_use }} \ redis-server /usr/local/etc/redis/redis.conf -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis +ExecStopPost=-/usr/bin/docker stop matrix-redis +ExecStopPost=-/usr/bin/docker rm matrix-redis Restart=always RestartSec=30 SyslogIdentifier=matrix-redis diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index e73e3e5f..8de331bf 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {{ matrix_registration_docker_image }} \ serve -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-registration diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 019ab40c..84c6f6ea 100644 --- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ {% endfor %} {{ matrix_sygnal_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 4823d89c..28fe08aa 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin {% endfor %} {{ matrix_synapse_admin_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index df4a4f23..f74cbad9 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -27,10 +27,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} +ExecStopPost=-{{ matrix_host_command_docker }} stop %n +ExecStopPost=-{{ matrix_host_command_docker }} kill %n +ExecStopPost=-{{ matrix_host_command_docker }} rm %n +ExecStopPost=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 43dc42d1..66a323f9 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' Restart=always diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 188db5ef..bfc8dd61 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -63,8 +63,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 5788a16a2e6f1e44b6bb9d6c8f75581f17884928 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 5 Jan 2022 18:33:21 +0200 Subject: [PATCH 08/71] added matrix-client-cinny --- README.md | 2 + docs/configuring-dns.md | 2 + docs/configuring-playbook-client-cinny.md | 21 ++++ docs/configuring-playbook.md | 1 + docs/self-building.md | 1 + group_vars/matrix_servers | 28 +++++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-client-cinny/defaults/main.yml | 54 +++++++++ roles/matrix-client-cinny/tasks/init.yml | 10 ++ roles/matrix-client-cinny/tasks/main.yml | 28 +++++ .../matrix-client-cinny/tasks/self_check.yml | 22 ++++ .../tasks/setup_install.yml | 71 ++++++++++++ .../tasks/setup_uninstall.yml | 35 ++++++ .../tasks/validate_config.yml | 8 ++ .../templates/config.json.j2 | 6 + .../templates/nginx.conf.j2 | 66 +++++++++++ .../systemd/matrix-client-cinny.service.j2 | 40 +++++++ roles/matrix-nginx-proxy/defaults/main.yml | 9 +- .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-client-cinny.conf.j2 | 104 ++++++++++++++++++ setup.yml | 1 + 21 files changed, 524 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-client-cinny.md create mode 100644 roles/matrix-client-cinny/defaults/main.yml create mode 100644 roles/matrix-client-cinny/tasks/init.yml create mode 100644 roles/matrix-client-cinny/tasks/main.yml create mode 100644 roles/matrix-client-cinny/tasks/self_check.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_install.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_uninstall.yml create mode 100644 roles/matrix-client-cinny/tasks/validate_config.yml create mode 100644 roles/matrix-client-cinny/templates/config.json.j2 create mode 100644 roles/matrix-client-cinny/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 diff --git a/README.md b/README.md index 59bd915e..80608c69 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index af2badca..4416c3bc 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -37,6 +37,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `goneb` | - | - | - | `matrix.` | | CNAME | `sygnal` | - | - | - | `matrix.` | | CNAME | `hydrogen` | - | - | - | `matrix.` | +| CNAME | `cinny` | - | - | - | `matrix.` | ## Subdomains setup @@ -57,6 +58,7 @@ The `sygnal.` subdomain may be necessary, because this playbook cou The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. +The `cinny.` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.` DNS record. ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-client-cinny.md b/docs/configuring-playbook-client-cinny.md new file mode 100644 index 00000000..73a8bbee --- /dev/null +++ b/docs/configuring-playbook-client-cinny.md @@ -0,0 +1,21 @@ +# Configuring Cinny (optional) + +This playbook can install the [cinny](https://github.com/ajbura/cinny) Matrix web client for you. +cinny is a web client focusing primarily on simple, elegant and secure interface. +cinny can be installed alongside or instead of Element. + +If you'd like cinny to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_cinny_enabled: true +``` + +You will also need to add a DNS record so that cinny can be accessed. +By default cinny will use https://cinny.DOMAIN so you will need to create an CNAME record +for `cinny`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_cinny: "app.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 0f35325d..6b5a9e5d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -69,6 +69,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) +- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) ### Authentication and user-related diff --git a/docs/self-building.md b/docs/self-building.md index 9bf435c0..4d5c2db2 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse-admin` - `matrix-client-element` - `matrix-client-hydrogen` +- `matrix-client-cinny` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8edcd6ba..fb1762c7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1332,6 +1332,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1417,6 +1418,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1760,6 +1763,31 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl +###################################################################### +# +# matrix-client-cinny +# +###################################################################### + +matrix_client_cinny_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" + +matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-cinny +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 4767bcf4..9b137bae 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" +# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default). +matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml new file mode 100644 index 00000000..e693e2b2 --- /dev/null +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -0,0 +1,54 @@ +matrix_client_cinny_enabled: true + +matrix_client_cinny_container_image_self_build: false +matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" + +matrix_client_cinny_version: v1.6.1 +matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" + +matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" +matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_cinny_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_cinny_container_extra_arguments: [] + +# List of systemd services that matrix-client-cinny.service depends on +matrix_client_cinny_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_cinny_self_check_validate_certificates: true + +# config.json +matrix_client_cinny_default_hs_url: "" + +# Default cinny configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for cinny should go to `matrix_client_cinny_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration_extension_json: '{}' + +matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json|from_json if matrix_client_cinny_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final cinny configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default|combine(matrix_client_cinny_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-cinny/tasks/init.yml b/roles/matrix-client-cinny/tasks/init.yml new file mode 100644 index 00000000..e6889e4d --- /dev/null +++ b/roles/matrix-client-cinny/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" + when: matrix_client_cinny_enabled|bool diff --git a/roles/matrix-client-cinny/tasks/main.yml b/roles/matrix-client-cinny/tasks/main.yml new file mode 100644 index 00000000..8a39c021 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_client_cinny_enabled|bool" + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny diff --git a/roles/matrix-client-cinny/tasks/self_check.yml b/roles/matrix-client-cinny/tasks/self_check.yml new file mode 100644 index 00000000..df1241a8 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + +- name: Check Cinny + uri: + url: "{{ matrix_client_cinny_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}" + register: matrix_client_cinny_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Cinny not working + fail: + msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" + +- name: Report working Cinny + debug: + msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/matrix-client-cinny/tasks/setup_install.yml b/roles/matrix-client-cinny/tasks/setup_install.yml new file mode 100644 index 00000000..5d92f1d3 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_install.yml @@ -0,0 +1,71 @@ +--- +- name: Ensure Cinny paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_cinny_data_path }}", when: true } + - { path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Cinny Docker image is pulled + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}" + when: "not matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny repository is present on self-build + git: + repo: "{{ matrix_client_cinny_container_image_self_build_repo }}" + dest: "{{ matrix_client_cinny_docker_src_files_path }}" + version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_cinny_git_pull_results + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny configuration installed + copy: + content: "{{ matrix_client_cinny_configuration|to_nice_json }}" + dest: "{{ matrix_client_cinny_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Cinny additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "item.src is not none" + +- name: Ensure Cinny Docker image is built + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: build + force_source: "{{ matrix_client_cinny_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_cinny_docker_src_files_path }}" + pull: yes + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure matrix-client-cinny.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + mode: 0644 + register: matrix_client_cinny_systemd_service_result + +- name: Ensure systemd reloaded after matrix-client-cinny.service installation + service: + daemon_reload: yes + when: "matrix_client_cinny_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/matrix-client-cinny/tasks/setup_uninstall.yml new file mode 100644 index 00000000..2a3bffb5 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- +- name: Check existence of matrix-client-cinny.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + register: matrix_client_cinny_service_stat + +- name: Ensure matrix-client-cinny is stopped + service: + name: matrix-client-cinny + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure matrix-client-cinny.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + state: absent + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-client-cinny.service removal + service: + daemon_reload: yes + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure Cinny paths doesn't exist + file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent + +- name: Ensure Cinny Docker image doesn't exist + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + state: absent diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml new file mode 100644 index 00000000..198782e9 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- +- name: Fail if required Cinny settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Cinny. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + with_items: + - "matrix_client_cinny_default_hs_url" diff --git a/roles/matrix-client-cinny/templates/config.json.j2 b/roles/matrix-client-cinny/templates/config.json.j2 new file mode 100644 index 00000000..9731a372 --- /dev/null +++ b/roles/matrix-client-cinny/templates/config.json.j2 @@ -0,0 +1,6 @@ +{ + "defaultHomeserver": 0, + "homeserverList": [ + {{ matrix_client_cinny_default_hs_url|string|to_json }} + ] +} diff --git a/roles/matrix-client-cinny/templates/nginx.conf.j2 b/roles/matrix-client-cinny/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-cinny/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 new file mode 100644 index 00000000..aa5a0432 --- /dev/null +++ b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Cinny Client +{% for service in matrix_client_cinny_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-cinny \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_cinny_container_http_host_bind_port %} + -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_cinny_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_cinny_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-cinny + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 27b0b42d..74f53e67 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +# Controls whether proxying the Cinny domain should be done. +matrix_nginx_proxy_proxy_cinny_enabled: false +matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -273,9 +277,12 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). +matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index d325d2f0..5ddbb19d 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -88,6 +88,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_cinny_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -227,6 +234,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 new file mode 100644 index 00000000..df66349f --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-cinny:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/setup.yml b/setup.yml index edd21205..99d4ab18 100755 --- a/setup.yml +++ b/setup.yml @@ -47,6 +47,7 @@ - matrix-registration - matrix-client-element - matrix-client-hydrogen + - matrix-client-cinny - matrix-jitsi - matrix-ma1sd - matrix-dimension From 490f11ba0df89f384d905318083bab0e078ea789 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 09:11:28 +0200 Subject: [PATCH 09/71] matrix-client-cinny: self_build feedback" --- group_vars/matrix_servers | 2 ++ roles/matrix-client-cinny/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb1762c7..d5dfb391 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1771,6 +1771,8 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl matrix_client_cinny_enabled: false +matrix_client_cinny_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml index 198782e9..d8e804c5 100644 --- a/roles/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -3,6 +3,6 @@ fail: msg: > You need to define a required configuration setting (`{{ item }}`) to use Cinny. - when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + when: "vars[item] == '' or vars[item] is none" with_items: - "matrix_client_cinny_default_hs_url" From 1098e64d19f1791a07faa2de93b7abc34ca2a95b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 10:53:07 +0200 Subject: [PATCH 10/71] Announce Cinny support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d7331e9..8443d36a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2022-01-06 + +## Cinny support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [Cinny](https://cinny.in/) - a new simple, elegant and secure Matrix client. + +By default, we still install Element. Still, people who'd like to try Cinny out can now install it via the playbook. + +Additional details are available in [Setting up Cinny](docs/configuring-playbook-client-cinny.md). + + # 2021-12-22 ## Twitter bridging support via mautrix-twitter From 7dfb68b7f82fb09edbcdcad2a98875be2c3dda42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 11:04:35 +0200 Subject: [PATCH 11/71] Add else statements to inline ifs Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- roles/matrix-client-cinny/defaults/main.yml | 2 +- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml index e693e2b2..21ce09d4 100644 --- a/roles/matrix-client-cinny/defaults/main.yml +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/ matrix_client_cinny_version: v1.6.1 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" -matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 3cfb2337..4ca2224b 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vect matrix_client_hydrogen_version: v0.2.19 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" From 407e8c4940ecec98f9826df0c135443431459a5f Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 20:30:10 +0200 Subject: [PATCH 12/71] added honoroit --- README.md | 2 + docs/configuring-playbook-bot-honoroit.md | 55 +++++++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + docs/self-building.md | 1 + group_vars/matrix_servers | 37 ++++++++ roles/matrix-bot-honoroit/defaults/main.yml | 95 +++++++++++++++++++ roles/matrix-bot-honoroit/tasks/init.yml | 3 + roles/matrix-bot-honoroit/tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 86 +++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++++ .../tasks/validate_config.yml | 10 ++ .../systemd/matrix-bot-honoroit.service.j2 | 51 ++++++++++ setup.yml | 1 + 14 files changed, 402 insertions(+) create mode 100644 docs/configuring-playbook-bot-honoroit.md create mode 100644 roles/matrix-bot-honoroit/defaults/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/init.yml create mode 100644 roles/matrix-bot-honoroit/tasks/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_install.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-honoroit/tasks/validate_config.yml create mode 100644 roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 diff --git a/README.md b/README.md index 80608c69..63875c5e 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation + - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md new file mode 100644 index 00000000..45fc033d --- /dev/null +++ b/docs/configuring-playbook-bot-honoroit.md @@ -0,0 +1,55 @@ +# Setting up Honoroit (optional) + +The playbook can install and configure [Honoroit](https://gitlab.com/etke.cc/honoroit) for you. + +It's a bot you can use to setup **your own helpdesk on matrix** + +See the project's [documentation](https://gitlab.com/etke.cc/honoroit#how-it-looks-like) to learn what it does with screenshots and why it might be useful to you. + + +## Registering the bot user + +By default, the playbook will set up the bot with a username like this: `@honoroit:DOMAIN`. + +(to use a different username, adjust the `matrix_bot_honoroit_login` variable). + +You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=honoroit password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_bot_honoroit_enabled: true + +# Adjust this to whatever password you chose when registering the bot user +matrix_bot_honoroit_password: PASSWORD_FOR_THE_BOT + +# Adjust this to your room ID +matrix_bot_honoroit_roomid: "!yourRoomID:DOMAIN" +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite the `@honoroit:DOMAIN` to the room you specified in config, after that any matrix user can send a message to the `@honoroit:DOMAIN` to start a new thread in that room. + +Send `!ho help` to the room to see the bot's help menu for additional commands. + +You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/honoroit#features). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6b5a9e5d..31168d23 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -142,6 +142,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) +- [Setting up honoroit](configuring-playbook-bot-honoroit.md) - a helpdesk bot (optional) + - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional) - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) diff --git a/docs/container-images.md b/docs/container-images.md index d52f3fdd..9be48736 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -92,6 +92,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [etke.cc/honoroit](https://gitlab.com/etke.cc/honoroit/container_registry) - the [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot (optional) + - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) diff --git a/docs/self-building.md b/docs/self-building.md index 4d5c2db2..ef851f22 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -34,6 +34,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` +- `matrix-bot-honoroit` - `matrix-bot-matrix-reminder-bot` - `matrix-email2matrix` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5dfb391..393984c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -946,6 +946,37 @@ matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != # ###################################################################### +###################################################################### +# +# matrix-bot-honoroit +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_honoroit_enabled: false + +matrix_bot_honoroit_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" + +###################################################################### +# +# /matrix-bot-honoroit +# +###################################################################### + ###################################################################### # @@ -1489,6 +1520,12 @@ matrix_postgres_additional_databases: | 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_bot_honoroit_database_name, + 'username': matrix_bot_honoroit_database_username, + 'password': matrix_bot_honoroit_database_password, + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml new file mode 100644 index 00000000..ac612f84 --- /dev/null +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -0,0 +1,95 @@ +# honoroit is a helpdesk bot +# See: https://gitlab.com/etke.cc/honoroit + +matrix_bot_honoroit_enabled: true + +matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" +matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" + +matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" + +matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" +matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" +matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" +matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" + +# A list of extra arguments to pass to the container +matrix_bot_honoroit_container_extra_arguments: [] + +# List of systemd services that matrix-bot-honoroit.service depends on +matrix_bot_honoroit_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-honoroit.service wants +matrix_bot_honoroit_systemd_wanted_services_list: [] + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_bot_honoroit_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_bot_honoroit_database_*` variables +matrix_bot_honoroit_database_engine: 'sqlite' + +matrix_bot_honoroit_sqlite_database_path_local: "{{ matrix_bot_honoroit_data_path }}/bot.db" +matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_honoroit_database_username: 'honoroit' +matrix_bot_honoroit_database_password: 'some-password' +matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_port: 5432 +matrix_bot_honoroit_database_name: 'honoroit' + +matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable' + +matrix_bot_honoroit_storage_database: "{{ + { + 'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container, + 'postgres': matrix_bot_honoroit_database_connection_string, + }[matrix_bot_honoroit_database_engine] +}}" + +matrix_bot_honoroit_database_dialect: "{{ + { + 'sqlite': 'sqlite3', + 'postgres': 'postgres', + }[matrix_bot_honoroit_database_engine] +}}" + + +# The bot's username. This user needs to be created manually beforehand. +# Also see `matrix_bot_honoroit_password`. +matrix_bot_honoroit_login: "honoroit" + +# The password that the bot uses to authenticate. +matrix_bot_honoroit_password: '' + +matrix_bot_honoroit_homeserver: "{{ matrix_homeserver_container_url }}" + +# The room ID where bot will create threads +matrix_bot_honoroit_roomid: '' + +# Command prefix +matrix_bot_honoroit_prefix: '' + +# Sentry DSN +matrix_bot_honoroit_sentry: '' + +# Log level +matrix_bot_honoroit_loglevel: '' + +# Text: greetings +matrix_bot_honoroit_text_greetings: '' + +# Text: error +matrix_bot_honoroit_text_error: '' + +# Text: empty room +matrix_bot_honoroit_text_emptyroom: '' + +# Text: done +matrix_bot_honoroit_text_done: '' diff --git a/roles/matrix-bot-honoroit/tasks/init.yml b/roles/matrix-bot-honoroit/tasks/init.yml new file mode 100644 index 00000000..1b652e56 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" + when: matrix_bot_honoroit_enabled|bool diff --git a/roles/matrix-bot-honoroit/tasks/main.yml b/roles/matrix-bot-honoroit/tasks/main.yml new file mode 100644 index 00000000..bc5c1490 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml new file mode 100644 index 00000000..33723175 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -0,0 +1,86 @@ +--- +- set_fact: + matrix_bot_honoroit_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + register: matrix_bot_honoroit_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + dst: "{{ matrix_bot_honoroit_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_bot_honoroit_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-bot-honoroit.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_bot_honoroit_requires_restart: true + when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_bot_honoroit_database_engine == 'postgres'" + +- name: Ensure honoroit paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_honoroit_config_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_store_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} + when: "item.when|bool" + +- name: Ensure honoroit image is pulled + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" + when: "not matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit repository is present on self-build + git: + repo: "{{ matrix_bot_honoroit_docker_repo }}" + dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" + force: "yes" + register: matrix_bot_honoroit_git_pull_results + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit image is built + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: build + force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_bot_honoroit_docker_src_files_path }}" + pull: yes + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure matrix-bot-honoroit.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + mode: 0644 + register: matrix_bot_honoroit_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation + service: + daemon_reload: yes + when: "matrix_bot_honoroit_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-honoroit.service restarted, if necessary + service: + name: "matrix-bot-honoroit.service" + state: restarted + when: "matrix_bot_honoroit_requires_restart|bool" diff --git a/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml new file mode 100644 index 00000000..afad2cc1 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-honoroit service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + register: matrix_bot_honoroit_service_stat + +- name: Ensure matrix-honoroit is stopped + service: + name: matrix-bot-honoroit + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-honoroit.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + state: absent + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal + service: + daemon_reload: yes + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure Matrix honoroit paths don't exist + file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent + +- name: Ensure honoroit Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + state: absent diff --git a/roles/matrix-bot-honoroit/tasks/validate_config.yml b/roles/matrix-bot-honoroit/tasks/validate_config.yml new file mode 100644 index 00000000..562bf9fb --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_bot_honoroit_password" + - "matrix_bot_honoroit_roomid" diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 new file mode 100644 index 00000000..38c2c7ff --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix helpdesk bot +{% for service in matrix_bot_honoroit_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_honoroit_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ + -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ + -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ + -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ + -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ + -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ + -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ + -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ + -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ + -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ + -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ + -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ + -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ + {% for arg in matrix_bot_honoroit_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_honoroit_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-honoroit + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 99d4ab18..54e6c408 100755 --- a/setup.yml +++ b/setup.yml @@ -37,6 +37,7 @@ - matrix-bridge-sms - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot + - matrix-bot-honoroit - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse From d7af37e9e9076ec85d883ffb6abfcb73df219155 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:41:52 +0200 Subject: [PATCH 13/71] matrix-bot-honoroit feedback --- roles/matrix-bot-honoroit/defaults/main.yml | 10 +++++++++- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 ++++++ roles/matrix-bot-honoroit/templates/env.j2 | 15 +++++++++++++++ .../systemd/matrix-bot-honoroit.service.j2 | 14 +------------- 4 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-bot-honoroit/templates/env.j2 diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ac612f84..ea83dde6 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -8,7 +8,8 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 -matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" @@ -93,3 +94,10 @@ matrix_bot_honoroit_text_emptyroom: '' # Text: done matrix_bot_honoroit_text_done: '' + +# Additional environment variables to pass to the Honoroit container +# +# Example: +# matrix_bot_honoroit_environment_variables_extension: | +# HONOROIT_TEXT_DONE=Done +matrix_bot_honoroit_environment_variables_extension: '' diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 33723175..615235cb 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -39,6 +39,12 @@ - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when|bool" +- name: Ensure honoroit environment variables file created + template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/env" + mode: 0640 + - name: Ensure honoroit image is pulled docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/matrix-bot-honoroit/templates/env.j2 b/roles/matrix-bot-honoroit/templates/env.j2 new file mode 100644 index 00000000..4b1dd43f --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/env.j2 @@ -0,0 +1,15 @@ +HONOROIT_LOGIN={{ matrix_bot_honoroit_login }} +HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }} +HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }} +HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }} +HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }} +HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} +HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} +HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} +HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} +HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} +HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} +HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} +HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }} + +{{ matrix_bot_honoroit_environment_variables_extension }} diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 38c2c7ff..c4eb1a94 100644 --- a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -22,19 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ - -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ - -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ - -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ - -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ - -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ - -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ - -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ - -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ - -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ - -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ - -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ - -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --env-file={{ matrix_bot_honoroit_config_path }}/env \ --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ {% for arg in matrix_bot_honoroit_container_extra_arguments %} {{ arg }} \ From 6beb39a0627db90c15c51632a7da909b0ae9c37f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 09:53:16 +0200 Subject: [PATCH 14/71] Announce Honoroit support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1511 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8443d36a..7f6dcc35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2022-01-07 + +## Honoroit bot support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. + +See our [Setting up Honoroit](docs/configuring-playbook-bot-honoroit.md) documentation to get started. + + # 2022-01-06 ## Cinny support From d66c812830771782817f8f411a9833e627ff88be Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:06:25 +0000 Subject: [PATCH 15/71] matrix-bot-honoroit: fix self-build --- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ea83dde6..fc1713ba 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" From b0c801a4970584badeef6c6eeea7eb03beb10d08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 11:53:24 +0200 Subject: [PATCH 16/71] Rename variable for consistency (matrix_bot_honoroit_container_self_build -> matrix_bot_honoroit_container_image_self_build) Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1514 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 4 ++-- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 393984c0..99d70c99 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -969,7 +969,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index fc1713ba..4e3628f9 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -3,13 +3,13 @@ matrix_bot_honoroit_enabled: true -matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 615235cb..76eeb006 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -51,7 +51,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" - when: "not matrix_bot_honoroit_container_self_build|bool" + when: "not matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit repository is present on self-build git: @@ -59,7 +59,7 @@ dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" force: "yes" register: matrix_bot_honoroit_git_pull_results - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit image is built docker_image: @@ -71,7 +71,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure matrix-bot-honoroit.service installed template: From d9dd524db3f7a3b1710a763292e7fefbb47ca7de Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 12:18:45 +0200 Subject: [PATCH 17/71] self-build consistency: rename vars everywhere --- group_vars/matrix_servers | 18 +++++++++--------- .../defaults/main.yml | 2 +- .../tasks/setup_install.yml | 6 +++--- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 4 ++-- .../tasks/setup_install.yml | 12 ++++++------ .../defaults/main.yml | 6 +++--- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 14 +++++++------- roles/matrix-synapse-admin/defaults/main.yml | 6 +++--- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/setup.yml | 8 ++++---- .../tasks/validate_config.yml | 1 + 18 files changed, 53 insertions(+), 52 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 99d70c99..49f63ddf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -143,7 +143,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false -matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -185,7 +185,7 @@ matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_maca # We don't enable bridges by default. matrix_appservice_irc_enabled: false -matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -459,8 +459,8 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" -matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -478,9 +478,9 @@ matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'a matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ @@ -938,7 +938,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" -matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -1948,7 +1948,7 @@ matrix_synapse_admin_enabled: false # Synapse Admin's HTTP port to the local host. matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" -matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 3e955673..419e3cca 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_container_image_self_build: false matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index dada8167..bd33326f 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -46,7 +46,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "not matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot repository is present on self-build git: @@ -54,7 +54,7 @@ dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" force: "yes" register: matrix_bot_matrix_reminder_bot_git_pull_results - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot image is built docker_image: @@ -66,7 +66,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" pull: yes - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 57604b19..25b0a241 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_container_image_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index e1355796..b90d93a5 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 75af882a..20714a41 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_irc_base_path }}", when: true } - { path: "{{ matrix_appservice_irc_config_path }}", when: true } - { path: "{{ matrix_appservice_irc_data_path }}", when: true } - - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_image_self_build }}" } when: item.when|bool - name: Check if an old passkey file already exists @@ -61,7 +61,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc repository is present when self-building git: @@ -69,7 +69,7 @@ dest: "{{ matrix_appservice_irc_docker_src_files_path }}" force: "yes" register: matrix_appservice_irc_git_pull_results - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc Docker image is built docker_image: @@ -81,7 +81,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" pull: yes - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 4f4d5e2f..0a578b41 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index f6aada6d..7f251ec5 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b170fcb8..8c5a1eed 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_slack_base_path }}", when: true } - { path: "{{ matrix_appservice_slack_config_path }}", when: true } - { path: "{{ matrix_appservice_slack_data_path }}", when: true } - - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_image_self_build }}" } when: item.when|bool - set_fact: @@ -37,7 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" - when: "not matrix_appservice_slack_container_self_build|bool" + when: "not matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -45,7 +45,7 @@ dest: "{{ matrix_appservice_slack_docker_src_files_path }}" force: "yes" register: matrix_appservice_slack_git_pull_results - when: "matrix_appservice_slack_container_self_build|bool" + when: "matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack Docker image is built docker_image: @@ -57,7 +57,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" pull: yes - when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + when: "matrix_appservice_slack_container_image_self_build|bool and matrix_appservice_slack_git_pull_results.changed" - name: Ensure Matrix Appservice Slack config installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 6e0a9918..9eebedd7 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_signal_enabled: true -matrix_mautrix_signal_container_self_build: false +matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" @@ -13,7 +13,7 @@ matrix_mautrix_signal_daemon_version: latest matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_container_image_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 88710868..bc6331ac 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "not matrix_mautrix_signal_container_self_build|bool" + when: "not matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal repository is present on self-build @@ -23,7 +23,7 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: @@ -35,7 +35,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is pulled @@ -44,7 +44,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_image_self_build|bool register: matrix_mautrix_signal_daemon_pull_results - name: Ensure Mautrix Signal Daemon repository is present on self-build @@ -53,7 +53,7 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: @@ -65,7 +65,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal paths exist file: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 1995a7b7..7e7ee0a6 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,13 +3,13 @@ matrix_mautrix_telegram_enabled: true -matrix_telegram_lottieconverter_container_self_build: false -matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_container_image_self_build: false +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram -matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index bf903a57..662ea1c3 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1e87f1ae..1e34e2cd 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_image_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled @@ -54,7 +54,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter is present when self-building git: @@ -62,7 +62,7 @@ dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" force: "yes" register: matrix_telegram_lottieconverter_git_pull_results - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" pull: yes - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -82,7 +82,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: @@ -93,10 +93,10 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + pull: "{{ not matrix_telegram_lottieconverter_container_image_self_build_mask_arch|bool }}" args: TARGETARCH: "" - when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" + when: "matrix_mautrix_telegram_container_image_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 6d20d20f..db1024fa 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -3,14 +3,14 @@ matrix_synapse_admin_enabled: true -matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +matrix_synapse_admin_container_image_self_build: false +matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index fccc9dfa..3ce5a693 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index d54583af..9eac7f90 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -10,16 +10,16 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin repository is present when self-building git: - repo: "{{ matrix_synapse_admin_container_self_build_repo }}" + repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" force: "yes" register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin Docker image is built docker_image: @@ -31,7 +31,7 @@ dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin.service installed template: diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index e08680e0..d0640d7f 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,3 +8,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From c191bf54cace667e5eda26a2fb1419dd5bc8eb88 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:17:39 +0200 Subject: [PATCH 18/71] self-build consistency: add deprecation warnings --- .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 1 + .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 2 ++ .../tasks/validate_config.yml | 2 ++ roles/matrix-synapse-admin/tasks/validate_config.yml | 1 + 6 files changed, 24 insertions(+) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 983e7166..8963a312 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_bot_matrix_reminder_bot_matrix_user_password" - "matrix_bot_matrix_reminder_bot_reminders_timezone" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_matrix_reminder_bot_container_self_build', 'new': 'matrix_bot_matrix_reminder_bot_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index bd08427c..303f2640 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,3 +33,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} + - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index e02c6ab0..1866c312 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -11,3 +11,12 @@ - "matrix_appservice_slack_homeserver_url" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_slack_container_self_build', 'new': 'matrix_appservice_slack_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 100af3f8..108ac044 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -26,3 +26,5 @@ - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': ''} + - {'old': 'matrix_mautrix_signal_container_self_build', 'new': 'matrix_mautrix_signal_container_image_self_build'} + - {'old': 'matrix_mautrix_signal_daemon_container_self_build', 'new': 'matrix_mautrix_signal_daemon_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 5b1f3b00..db10a4cc 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -20,3 +20,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} + - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index d0640d7f..20a5c170 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,4 +8,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From 2836667df28c695755854b407955700cfc2aa568 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:21:41 +0200 Subject: [PATCH 19/71] self-build consistency: missing var --- roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index db10a4cc..2067b97b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -22,3 +22,4 @@ - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build_mask_arch', 'new': 'matrix_telegram_lottieconverter_container_image_self_build_mask_arch'} From 07af05690c0f52d09481614c2ac742bd79a82280 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Sun, 24 Jan 2021 17:41:11 +1100 Subject: [PATCH 20/71] Add initial role for Dendrite as alternative Matrix server --- group_vars/matrix_servers | 98 + roles/matrix-dendrite/defaults/main.yml | 158 + .../matrix-dendrite/tasks/dendrite/setup.yml | 6 + .../tasks/dendrite/setup_install.yml | 85 + .../tasks/dendrite/setup_uninstall.yml | 28 + roles/matrix-dendrite/tasks/goofys/setup.yml | 7 + .../tasks/goofys/setup_install.yml | 41 + .../tasks/goofys/setup_uninstall.yml | 33 + .../tasks/import_media_store.yml | 81 + roles/matrix-dendrite/tasks/init.yml | 12 + roles/matrix-dendrite/tasks/main.yml | 50 + roles/matrix-dendrite/tasks/register_user.yml | 25 + .../tasks/self_check_client_api.yml | 20 + .../tasks/self_check_federation_api.yml | 25 + .../matrix-dendrite/tasks/setup_dendrite.yml | 19 + .../tasks/update_user_password.yml | 41 + .../matrix-dendrite/tasks/validate_config.yml | 16 + .../templates/dendrite/dendrite.yaml.j2 | 342 +++ .../templates/dendrite/homeserver.yaml.j2 | 2682 +++++++++++++++++ .../systemd/matrix-dendrite.service.j2 | 58 + .../matrix-dendrite-create-account.j2 | 12 + .../templates/goofys/env-goofys.j2 | 3 + .../goofys/systemd/matrix-goofys.service.j2 | 39 + roles/matrix-dendrite/vars/main.yml | 11 + setup.yml | 1 + 25 files changed, 3893 insertions(+) create mode 100644 roles/matrix-dendrite/defaults/main.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml create mode 100644 roles/matrix-dendrite/tasks/init.yml create mode 100644 roles/matrix-dendrite/tasks/main.yml create mode 100644 roles/matrix-dendrite/tasks/register_user.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_client_api.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_federation_api.yml create mode 100644 roles/matrix-dendrite/tasks/setup_dendrite.yml create mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml create mode 100644 roles/matrix-dendrite/tasks/validate_config.yml create mode 100644 roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 create mode 100644 roles/matrix-dendrite/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 49f63ddf..18351f32 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1508,6 +1508,48 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_database_password, }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ + 'name': matrix_dendrite_naffka_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_appservice_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_federationsender_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_keyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mediaapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_room_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_singingkeyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_syncapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_account_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_device_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -2125,3 +2167,59 @@ matrix_postgres_backup_databases: | # /matrix-postgres-backup # ###################################################################### + +###################################################################### +# +# matrix-dendrite +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, +# you can expose Dendrite's ports to the host. +# +# For exposing the Matrix Client API's port (plain HTTP) to the local host. +matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# +# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. +matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" + +# Even if TURN doesn't support TLS (it does by default), +# it doesn't hurt to try a secure connection anyway. +matrix_dendrite_turn_uris: | + {{ + [ + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" + +matrix_dendrite_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_dendrite_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + }} + +###################################################################### +# +# /matrix-dendrite +# +###################################################################### diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml new file mode 100644 index 00000000..78bc9bb8 --- /dev/null +++ b/roles/matrix-dendrite/defaults/main.yml @@ -0,0 +1,158 @@ +# Dendrite is a second-generation Matrix homeserver currently in Beta +# See: https://github.com/matrix-org/dendrite + +matrix_dendrite_enabled: false + +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "docker.io/" +matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" + +matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" +matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" +matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" +matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" +matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" + +# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_dendrite_container_client_api_host_bind_port: "" + +# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# +# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) +# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). +# +# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. +matrix_dendrite_container_federation_api_tls_host_bind_port: "" + +# A list of extra arguments to pass to the container +matrix_dendrite_container_extra_arguments: [] + +# List of systemd services that matrix-dendrite.service depends on +matrix_dendrite_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-dendrite.service wants +matrix_dendrite_systemd_wanted_services_list: [] + +# Specifies which template files to use when configuring Dendrite. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" +matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" + +matrix_dendrite_macaroon_secret_key: "" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +matrix_dendrite_allow_guest_access: false +matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" + +matrix_dendrite_max_file_size_bytes: 10485760 + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_dendrite_tmp_directory_size_mb: 500 + +# Log levels +matrix_dendrite_log_level: "warning" +matrix_dendrite_log_path: "/var/log/dendrite" + +# Rate limits +matrix_dendrite_rate_limiting_enabled: true +matrix_dendrite_rate_limiting_threshold: 5 +matrix_dendrite_rate_limiting_cooloff_ms: 500 + +# Controls whether people with access to the homeserver can register by themselves. +matrix_dendrite_registration_disabled: false + +# reCAPTCHA API for validating registration attempts +matrix_dendrite_enable_registration_captcha: false +matrix_dendrite_recaptcha_public_key: "" +matrix_dendrite_recaptcha_private_key: "" + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# +# Note: internally, this uses the `-v` flag for mounting the specified volumes. +# It's better (safer) to use the `--mount` flag for mounting volumes. +# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`. +# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] +matrix_dendrite_container_additional_volumes: [] + +# A list of appservice config files (in-container filesystem paths). +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`. +matrix_dendrite_app_service_config_files: [] + +# Enable exposure of metrics +matrix_dendrite_metrics_enabled: false +matrix_dendrite_metrics_username: "metrics" +matrix_dendrite_metrics_password: "metrics" + +# Postgres database information +matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" +matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_user: "dendrite" +matrix_dendrite_database_password: "itsasecret" +matrix_dendrite_naffka_database: "dendrite_naffka" +matrix_dendrite_appservice_database: "dendrite_appservice" +matrix_dendrite_federationsender_database: "dendrite_federationsender" +matrix_dendrite_keyserver_database: "dendrite_keyserver" +matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_room_database: "dendrite_room" +matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" +matrix_dendrite_syncapi_database: "dendrite_syncapi" +matrix_dendrite_account_database: "dendrite_account" +matrix_dendrite_device_database: "dendrite_device" + +matrix_dendrite_turn_uris: [] +matrix_dendrite_turn_shared_secret: "" +matrix_dendrite_turn_allow_guests: False + +matrix_s3_media_store_enabled: false +matrix_s3_media_store_custom_endpoint_enabled: false +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" +matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" + +# Controls whether the self-check feature should validate TLS certificates. +matrix_dendrite_disable_tls_validation: false + +matrix_dendrite_trusted_id_servers: + - "matrix.org" + - "vector.im" + +# Default Dendrite configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}" + +matrix_dendrite_configuration_extension_yaml: | + # Your custom YAML configuration for Dendrite goes here. + # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_dendrite_configuration_yaml`. + # + # Example configuration extension follows: + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + +matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final Dendrite configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. +matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup.yml b/roles/matrix-dendrite/tasks/dendrite/setup.yml new file mode 100644 index 00000000..8b669193 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" + when: matrix_dendrite_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" + when: "not matrix_dendrite_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml new file mode 100644 index 00000000..182b6c1c --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -0,0 +1,85 @@ +--- +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Dendrite media store path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Dendrite media store path exists + file: + path: "{{ matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Dendrite log path exists + file: + path: "{{ matrix_dendrite_log_path }}" + state: directory + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite Docker image is pulled + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + +- name: Check if a Dendrite signing key exists + stat: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + register: matrix_dendrite_signing_key_stat + +# We do this so that the signing key would get generated. +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate Dendrite signing key + command: | + docker run + --rm + --name=matrix-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + when: "not matrix_dendrite_signing_key_stat.stat.exists" + +- name: Ensure Dendrite server key exists + file: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite configuration installed + copy: + content: "{{ matrix_dendrite_configuration|to_nice_yaml }}" + dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dendrite.service installed + template: + src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-dendrite.service" + mode: 0644 + register: matrix_dendrite_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dendrite.service installation + service: + daemon_reload: yes + when: "matrix_dendrite_systemd_service_result.changed" + +- name: Ensure matrix-dendrite-create-account script created + template: + src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" + dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" + mode: 0750 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml new file mode 100644 index 00000000..7e953365 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml @@ -0,0 +1,28 @@ +- name: Check existence of matrix-dendrite service + stat: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure matrix-dendrite.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + state: absent + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dendrite.service removal + service: + daemon_reload: yes + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure Dendrite Docker image doesn't exist + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml new file mode 100644 index 00000000..6370408d --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + when: matrix_s3_media_store_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml new file mode 100644 index 00000000..4917440b --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_install.yml @@ -0,0 +1,41 @@ +- name: Ensure Goofys Docker image is pulled + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" + +# This will throw a Permission Denied error if already mounted +- name: Check Matrix Goofys external storage mountpoint path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_matrix_dendrite_media_store_path_stat + ignore_errors: yes + +- name: Ensure Matrix Goofys external storage mountpoint exists + file: + path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" + +- name: Ensure goofys environment variables file created + template: + src: "{{ role_path }}/templates/goofys/env-goofys.j2" + dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + owner: root + mode: 0600 + +- name: Ensure matrix-goofys.service installed + template: + src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-goofys.service" + mode: 0644 + register: matrix_goofys_systemd_service_result + +- name: Ensure systemd reloaded after matrix-goofys.service installation + service: + daemon_reload: yes + when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml new file mode 100644 index 00000000..b7f972ad --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml @@ -0,0 +1,33 @@ +- name: Check existence of matrix-goofys service + stat: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + register: matrix_goofys_service_stat + +- name: Ensure matrix-goofys is stopped + service: + name: matrix-goofys + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure matrix-goofys.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + state: absent + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-goofys.service removal + service: + daemon_reload: yes + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure goofys environment variables file doesn't exist + file: + path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + state: absent + +- name: Ensure Goofys Docker image doesn't exist + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml new file mode 100644 index 00000000..9eaa6c0c --- /dev/null +++ b/roles/matrix-dendrite/tasks/import_media_store.yml @@ -0,0 +1,81 @@ +--- +# Pre-checks + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" + +- name: Fail if media store is on Amazon S3 + fail: + msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + when: matrix_s3_media_store_enabled|bool + +- name: Check if the provided media store directory exists + stat: + path: "{{ server_path_media_store }}" + register: server_path_media_store_stat + +- name: Fail if provided media store directory doesn't exist on the server + fail: + msg: "{{ server_path_media_store }} cannot be found on the server" + when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" + +- name: Check if media store contains local_content + stat: + path: "{{ server_path_media_store }}/local_content" + register: server_path_media_store_local_content_stat + +- name: Check if media store contains remote_content + stat: + path: "{{ server_path_media_store }}/remote_content" + register: server_path_media_store_remote_content_stat + +- name: Fail if media store directory doesn't look okay (lacking remote and local content) + fail: + msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" + +# Actual import work + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + +# This can only work with local files, not if the media store is on Amazon S3, +# as it won't be accessible in such a case. +- name: Ensure provided media store directory is synchronized + synchronize: + src: "{{ server_path_media_store }}/" + dest: "{{ matrix_dendrite_media_store_path }}" + delete: yes + # It's wasteful to preserve owner/group now. We chown below anyway. + owner: no + group: no + times: yes + delegate_to: "{{ inventory_hostname }}" + +# This is for the generic case and fails in other cases (remote file systems), +# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. +- name: Ensure media store permissions are correct (generic case) + file: + path: "{{ matrix_dendrite_media_store_path }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: yes + when: "not matrix_s3_media_store_enabled|bool" + +# We don't chown for Goofys, because due to the way it's mounted, +# all files become owned by whoever needs to own them. + +- name: Ensure Dendrite is started (if it previously was) + service: + name: "{{ item }}" + state: started + daemon_reload: yes + when: "stopping_result.changed" + with_items: + - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml new file mode 100644 index 00000000..8457c63d --- /dev/null +++ b/roles/matrix-dendrite/tasks/init.yml @@ -0,0 +1,12 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" + when: matrix_dendrite_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" + when: matrix_s3_media_store_enabled|bool + +- name: Fail when using also using Synapse + fail: + msg: "To use Dendrite as your matrix server, you should disable Synapse." + when: "matrix_dendrite_enabled and matrix_synapse_enabled" diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml new file mode 100644 index 00000000..a5237442 --- /dev/null +++ b/roles/matrix-dendrite/tasks/main.yml @@ -0,0 +1,50 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" + when: run_dendrite_import_media_store|bool + tags: + - import-dendrite-media-store + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_dendrite_register_user|bool + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_dendrite_update_user_password|bool + tags: + - update-user-password + +- name: Mark matrix-dendrite role as executed + set_fact: + matrix_dendrite_role_executed: true + tags: + - always diff --git a/roles/matrix-dendrite/tasks/register_user.yml b/roles/matrix-dendrite/tasks/register_user.yml new file mode 100644 index 00000000..099d57e9 --- /dev/null +++ b/roles/matrix-dendrite/tasks/register_user.yml @@ -0,0 +1,25 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Wait a while, so that Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed" + +- name: Register user + command: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username|quote }} {{ password|quote }}" diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml new file mode 100644 index 00000000..d3fb1f0d --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -0,0 +1,20 @@ +--- +- name: Check Matrix Client API + uri: + url: "{{ matrix_dendrite_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_client_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" + when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" + when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml new file mode 100644 index 00000000..f11601d7 --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -0,0 +1,25 @@ +--- +- name: Check Matrix Federation API + uri: + url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_federation_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml new file mode 100644 index 00000000..920ca184 --- /dev/null +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -0,0 +1,19 @@ +--- +- name: Ensure Dendrite paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } + - { path: "{{ matrix_dendrite_ext_path }}", when: true } + # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml new file mode 100644 index 00000000..5fbd23c2 --- /dev/null +++ b/roles/matrix-dendrite/tasks/update_user_password.yml @@ -0,0 +1,41 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled|bool" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + +- name: Wait a while, so that Matrix Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed or postgres_start_result.changed" + +- name: Generate password hash + shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + register: password_hash + +- name: Update user password hash + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml new file mode 100644 index 00000000..8c7ee4d2 --- /dev/null +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -0,0 +1,16 @@ +--- +- name: Fail if required Dendrite settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Dendrite. + when: "vars[item] == ''" + with_items: + - "matrix_dendrite_macaroon_secret_key" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: [] diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 new file mode 100644 index 00000000..2ec6c088 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -0,0 +1,342 @@ +# This is the Dendrite configuration file. +# +# The configuration is split up into sections - each Dendrite component has a +# configuration section, in addition to the "global" section which applies to +# all components. +# +# At a minimum, to get started, you will need to update the settings in the +# "global" section for your deployment, and you will need to check that the +# database "connection_string" line in each component section is correct. +# +# Each component with a "database" section can accept the following formats +# for "connection_string": +# SQLite: file:filename.db +# file:///path/to/filename.db +# PostgreSQL: postgresql://user:pass@hostname/database?params=... +# +# SQLite is embedded into Dendrite and therefore no further prerequisites are +# needed for the database when using SQLite mode. However, performance with +# PostgreSQL is significantly better and recommended for multi-user deployments. +# SQLite is typically around 20-30% slower than PostgreSQL when tested with a +# small number of users and likely will perform worse still with a higher volume +# of users. +# +# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# number of open/idle database connections. The value 0 will use the database +# engine default, and a negative value will use unlimited connections. The +# "conn_max_lifetime" option controls the maximum length of time a database +# connection can be idle in seconds - a negative value is unlimited. + +# The version of the configuration file. +version: 1 + +# Global Matrix configuration. This configuration applies to all components. +global: + # The domain name of this homeserver. + server_name: {{ matrix_domain }} + + # The path to the signing private key file, used to sign requests and events. + private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" + + # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) + # to old signing private keys that were formerly in use on this domain. These + # keys will not be used for federation request or event signing, but will be + # provided to any other homeserver that asks when trying to verify old events. + # old_private_keys: + # - private_key: old_matrix_key.pem + # expired_at: 1601024554498 + + # How long a remote server can cache our server signing key before requesting it + # again. Increasing this number will reduce the number of requests made by other + # servers for our key but increases the period that a compromised key will be + # considered valid by other homeservers. + key_validity_period: 168h0m0s + + # Lists of domains that the server will trust as identity servers to verify third + # party identifiers such as phone numbers and email addresses. + trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + + # Configuration for Kafka/Naffka. + kafka: + # List of Kafka broker addresses to connect to. This is not needed if using + # Naffka in monolith mode. + addresses: + - kafka:9092 + + # The prefix to use for Kafka topic names for this homeserver. Change this only if + # you are running more than one Dendrite homeserver on the same Kafka deployment. + topic_prefix: Dendrite + + # Whether to use Naffka instead of Kafka. This is only available in monolith + # mode, but means that you can run a single-process server without requiring + # Kafka. + use_naffka: true + + # Naffka database options. Not required when using Kafka. + naffka_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Configuration for Prometheus metric collection. + metrics: + # Whether or not Prometheus metrics are enabled. + enabled: {{ matrix_dendrite_metrics_enabled }} + + # HTTP basic authentication to protect access to monitoring. + basic_auth: + username: {{ matrix_dendrite_metrics_username }} + password: {{ matrix_dendrite_metrics_password }} + + # DNS cache options. The DNS cache may reduce the load on DNS servers + # if there is no local caching resolver available for use. + dns_cache: + # Whether or not the DNS cache is enabled. + enabled: false + + # Maximum number of entries to hold in the DNS cache, and + # for how long those items should be considered valid in seconds. + cache_size: 256 + cache_lifetime: 300 + +# Configuration for the Appservice API. +app_service_api: + internal_api: + listen: http://0.0.0.0:7777 + connect: http://appservice_api:7777 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Appservice configuration files to load into this homeserver. + config_files: {{ matrix_dendrite_app_service_config_files|to_json }} + +# Configuration for the Client API. +client_api: + internal_api: + listen: http://0.0.0.0:7771 + connect: http://client_api:7771 + external_api: + listen: http://0.0.0.0:8071 + + # Prevents new users from being able to register on this homeserver, except when + # using the registration shared secret below. + registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + + # If set, allows registration by anyone who knows the shared secret, regardless of + # whether registration is otherwise disabled. + registration_shared_secret: {{ matrix_dendrite_registration_shared_secret|string|to_json }} + + # Whether to require reCAPTCHA for registration. + enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + + # Settings for ReCAPTCHA. + recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} + recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_bypass_secret: "" + recaptcha_siteverify_api: "" + + # TURN server information that this homeserver should send to clients. + turn: + turn_user_lifetime: "" + turn_uris: {{ matrix_dendrite_turn_uris|to_json }} + turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_username: "" + turn_password: "" + + # Settings for rate-limited endpoints. Rate limiting will kick in after the + # threshold number of "slots" have been taken by requests from a specific + # host. Each "slot" will be released after the cooloff time in milliseconds. + rate_limiting: + enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} + threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} + cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + +# Configuration for the EDU server. +edu_server: + internal_api: + listen: http://0.0.0.0:7778 + connect: http://edu_server:7778 + +# Configuration for the Federation API. +federation_api: + internal_api: + listen: http://0.0.0.0:7772 + connect: http://federation_api:7772 + external_api: + listen: http://0.0.0.0:8072 + + # List of paths to X.509 certificates to be used by the external federation listeners. + # These certificates will be used to calculate the TLS fingerprints and other servers + # will expect the certificate to match these fingerprints. Certificates must be in PEM + # format. + federation_certificates: [] + +# Configuration for the Federation Sender. +federation_sender: + internal_api: + listen: http://0.0.0.0:7775 + connect: http://federation_sender:7775 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationsender_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # How many times we will try to resend a failed transaction to a specific server. The + # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. + send_max_retries: 16 + + # Disable the validation of TLS certificates of remote federated homeservers. Do not + # enable this option in production as it presents a security risk! + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + + # Use the following proxy server for outbound federation traffic. + proxy_outbound: + enabled: false + protocol: http + host: localhost + port: 8080 + +# Configuration for the Key Server (for end-to-end encryption). +key_server: + internal_api: + listen: http://0.0.0.0:7779 + connect: http://key_server:7779 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Media API. +media_api: + internal_api: + listen: http://0.0.0.0:7774 + connect: http://media_api:7774 + external_api: + listen: http://0.0.0.0:8074 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Storage path for uploaded media. May be relative or absolute. + base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" + + # The maximum allowed file size (in bytes) for media uploads to this homeserver + # (0 = unlimited). + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + + # Whether to dynamically generate thumbnails if needed. + dynamic_thumbnails: false + + # The maximum number of simultaneous thumbnail generators to run. + max_thumbnail_generators: 10 + + # A list of thumbnail sizes to be generated for media content. + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale + +# Configuration for the Room Server. +room_server: + internal_api: + listen: http://0.0.0.0:7770 + connect: http://room_server:7770 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Server Key API (for server signing keys). +signing_key_server: + internal_api: + listen: http://0.0.0.0:7780 + connect: http://signing_key_server:7780 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_singingkeyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Perspective keyservers to use as a backup when direct key fetches fail. This may + # be required to satisfy key requests for servers that are no longer online when + # joining some rooms. + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ + + # This option will control whether Dendrite will prefer to look up keys directly + # or whether it should try perspective servers first, using direct fetches as a + # last resort. + prefer_direct_fetch: false + +# Configuration for the Sync API. +sync_api: + internal_api: + listen: http://0.0.0.0:7773 + connect: http://sync_api:7773 + external_api: + listen: http://0.0.0.0:8073 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the User API. +user_api: + internal_api: + listen: http://0.0.0.0:7781 + connect: http://user_api:7781 + account_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_account_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + device_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_device_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for Opentracing. +# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on +# how this works and how to set it up. +tracing: + enabled: false + jaeger: + serviceName: "" + disabled: false + rpc_metrics: false + tags: [] + sampler: null + reporter: null + headers: null + baggage_restrictions: null + throttler: null + +# Logging configuration, in addition to the standard logging that is sent to +# stdout by Dendrite. +logging: +- type: file + level: {{ matrix_dendrite_log_level }} + params: + path: /var/log/dendrite diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 new file mode 100644 index 00000000..fe28779c --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 @@ -0,0 +1,2682 @@ +#jinja2: lstrip_blocks: "True" +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Server ## + +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 +# +server_name: "{{ matrix_domain }}" + +# When running as a daemon, the file to store the pid in +# +pid_file: /homeserver.pid + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# +public_baseurl: https://{{ matrix_server_fqn_matrix }}/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +# +use_presence: {{ matrix_synapse_use_presence|to_json }} + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +# +#require_auth_for_profile_requests: true + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +default_room_version: {{ matrix_synapse_default_room_version|to_json }} + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: True + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP compression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: +{% if matrix_synapse_metrics_enabled %} + - type: metrics + port: {{ matrix_synapse_metrics_port }} + bind_addresses: + - '0.0.0.0' +{% endif %} + +{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + - port: 8448 + tls: true + bind_addresses: ['::'] + type: http + x_forwarded: false + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + + # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} + compress: false + +{% if matrix_synapse_federation_port_enabled %} + # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8048 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + +{% if matrix_synapse_manhole_enabled %} + # Turn on the twisted ssh manhole service on localhost on the given + # port. + - port: 9000 + bind_addresses: ['0.0.0.0'] + type: manhole +{% endif %} + + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +#admin_contact: 'mailto:admin@server.com' + +# Global blocking +# +#hs_disabled: False +#hs_disabled_message: 'Human readable reason for why the HS is blocked' +#hs_disabled_limit_type: 'error code(str), to help clients decode reason' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# enabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +#limit_usage_by_mau: False +#max_mau_value: 50 +#mau_trial_days: 2 + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: False + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +#redaction_retention_period: 28d + +redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + +user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} + +# PEM-encoded private key for TLS +# +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # (and tls_certificate_path and tls_private_key_path above) to enable it. + # + #enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + #port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + #bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + #reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + #domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + #account_key_file: /data/acme_account.key + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +#tls_fingerprints: [{"sha256": ""}] + + +## Federation ## + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} + +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + +## Database ## + +database: + # The database engine name + name: "psycopg2" + args: + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} + database: "{{ matrix_synapse_database_database }}" + host: "{{ matrix_synapse_database_host }}" + cp_min: 5 + cp_max: 10 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +rc_message: {{ matrix_synapse_rc_message|to_json }} +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 3 +# remote: +# per_second: 0.01 +# burst_count: 3 + + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 +rc_federation: {{ matrix_synapse_rc_federation|to_json }} + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +#enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + + +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +turn_uris: {{ matrix_synapse_turn_uris|to_json }} + +# The shared secret used to compute passwords for the TURN server +# +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: {{ matrix_synapse_enable_registration|to_json }} + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% endif %} + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# +#auto_join_rooms: +# - "#example:example.com" +{% if matrix_synapse_auto_join_rooms|length > 0 %} +auto_join_rooms: +{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} +{% endif %} + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} + + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +{% if matrix_synapse_sentry_dsn != "" %} +sentry: + dsn: {{ matrix_synapse_sentry_dsn|to_json }} +{% endif %} + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: {{ matrix_synapse_report_stats|to_json }} + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" + + +# A list of application service config files to use +# +app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: True + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: {{ matrix_synapse_form_secret|string|to_json }} + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} + + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/data/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + + +# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for some example configurations. +# +oidc_config: + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true + + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false + + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post + + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + + # Whether to fetch the user profile from the userinfo endpoint. Valid + # values are: "auto" or "userinfo_endpoint". + # + # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included + # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. + # + #user_profile_method: "userinfo_endpoint" + + # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead + # of failing. This could be used if switching from password logins to OIDC. Defaults to false. + # + #allow_existing_users: true + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider + + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. + # + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID. + # + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token + # + # If this is not set, the user will be prompted to choose their + # own username. + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + + # Jinja2 templates for extra attributes to send back to the client during + # login. + # + # Note that these are non-standard and clients will ignore them without modifications. + # + #extra_attributes: + #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" + + + +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 + + +{% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." + + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" +{% endif %} + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} +{% endif %} +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% if matrix_synapse_ext_password_provider_ldap_enabled %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + attributes: + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} +{% endif %} +{% endif %} + + +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + include_content: {{ matrix_synapse_push_include_content|to_json }} + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false + + +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] +spam_checker: {{ matrix_synapse_spam_checker|to_json }} + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + +# Uncomment to allow non-server-admin users to create groups on this server +# +enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial_" + + + +# User Directory configuration +# +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to +# rebuild the user_directory search indexes, see +# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md +# +#user_directory: +# enabled: true +# search_all_users: false + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy +# + + + +# Local statistics collection. Used in populating the room directory. +# +# 'bucket_size' controls how large each statistics timeslice is. It can +# be defined in a human readable short form -- e.g. "1d", "1y". +# +# 'retention' controls how long historical statistics will be kept for. +# It can be defined in a human readable short form -- e.g. "1d", "1y". +# +# +#stats: +# enabled: true +# bucket_size: 1d +# retention: 1y + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By default, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/1.13/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + + # Logging whether spans were started and reported + # + # logging: + # false + + +## Workers ## + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +#send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +#federation_sender_instances: +# - federation_sender1 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + #enabled: true + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + #host: localhost + #port: 6379 + + # Optional password if configured on the Redis instance + # + #password: + +# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 new file mode 100644 index 00000000..66a7c1f8 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -0,0 +1,58 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Dendrite server +{% for service in matrix_dendrite_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dendrite_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if matrix_s3_media_store_enabled %} +# Allow for some time before starting, so that media store can mount. +# Mounting can happen later too, but if we start writing, +# we'd write files to the local filesystem and fusermount will complain. +ExecStartPre={{ matrix_host_command_sleep }} 3 +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_dendrite_container_client_api_host_bind_port %} + -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} + -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% endif %} + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ + {% for volume in matrix_dendrite_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_dendrite_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dendrite_docker_image }} \ + --config /data/dendrite.yaml + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dendrite + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 new file mode 100644 index 00000000..ebacb681 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 + +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 new file mode 100644 index 00000000..2955efdd --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 @@ -0,0 +1,3 @@ +#jinja2: lstrip_blocks: "True" +AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 new file mode 100644 index 00000000..44ec3d4a --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Goofys media store +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n + +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + --mount type=bind,src=/etc/group,dst=/etc/group,ro \ + --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ + --entrypoint /bin/sh \ + {{ matrix_s3_goofys_docker_image }} \ + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + +TimeoutStartSec=5min +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} +Restart=always +RestartSec=5 +SyslogIdentifier=matrix-goofys + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/vars/main.yml b/roles/matrix-dendrite/vars/main.yml new file mode 100644 index 00000000..60d5f4eb --- /dev/null +++ b/roles/matrix-dendrite/vars/main.yml @@ -0,0 +1,11 @@ +--- +matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_dendrite_role_executed: false + +matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path|dirname }}" +matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path|basename }}" + +matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key|basename }}" diff --git a/setup.yml b/setup.yml index 54e6c408..aa1ea68b 100755 --- a/setup.yml +++ b/setup.yml @@ -41,6 +41,7 @@ - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse + - matrix-dendrite - matrix-synapse-admin - matrix-prometheus-node-exporter - matrix-prometheus From fc62537fcfd119c1bee509dc54775f5a3e8e1feb Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:25:50 -0600 Subject: [PATCH 21/71] Remove Synapse and Goofys stuff --- roles/matrix-dendrite/defaults/main.yml | 10 - roles/matrix-dendrite/tasks/goofys/setup.yml | 7 - .../tasks/goofys/setup_install.yml | 41 - .../tasks/goofys/setup_uninstall.yml | 33 - .../tasks/import_media_store.yml | 81 - roles/matrix-dendrite/tasks/main.yml | 5 - .../matrix-dendrite/tasks/setup_dendrite.yml | 2 - .../templates/dendrite/homeserver.yaml.j2 | 2682 ----------------- .../templates/goofys/env-goofys.j2 | 3 - .../goofys/systemd/matrix-goofys.service.j2 | 39 - 10 files changed, 2903 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml delete mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml delete mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 78bc9bb8..d231553e 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -110,16 +110,6 @@ matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" matrix_dendrite_turn_allow_guests: False -matrix_s3_media_store_enabled: false -matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" -matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" -matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" -matrix_s3_media_store_region: "eu-central-1" - # Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml deleted file mode 100644 index 6370408d..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml deleted file mode 100644 index 4917440b..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_install.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Ensure Goofys Docker image is pulled - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" - -# This will throw a Permission Denied error if already mounted -- name: Check Matrix Goofys external storage mountpoint path - stat: - path: "{{ matrix_dendrite_media_store_path }}" - register: local_path_matrix_dendrite_media_store_path_stat - ignore_errors: yes - -- name: Ensure Matrix Goofys external storage mountpoint exists - file: - path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" - -- name: Ensure goofys environment variables file created - template: - src: "{{ role_path }}/templates/goofys/env-goofys.j2" - dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - owner: root - mode: 0600 - -- name: Ensure matrix-goofys.service installed - template: - src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-goofys.service" - mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - service: - daemon_reload: yes - when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml deleted file mode 100644 index b7f972ad..00000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Check existence of matrix-goofys service - stat: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - register: matrix_goofys_service_stat - -- name: Ensure matrix-goofys is stopped - service: - name: matrix-goofys - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure matrix-goofys.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - service: - daemon_reload: yes - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - file: - path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - state: absent - -- name: Ensure Goofys Docker image doesn't exist - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml deleted file mode 100644 index 9eaa6c0c..00000000 --- a/roles/matrix-dendrite/tasks/import_media_store.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -# Pre-checks - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" - -- name: Fail if media store is on Amazon S3 - fail: - msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." - when: matrix_s3_media_store_enabled|bool - -- name: Check if the provided media store directory exists - stat: - path: "{{ server_path_media_store }}" - register: server_path_media_store_stat - -- name: Fail if provided media store directory doesn't exist on the server - fail: - msg: "{{ server_path_media_store }} cannot be found on the server" - when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - -- name: Check if media store contains local_content - stat: - path: "{{ server_path_media_store }}/local_content" - register: server_path_media_store_local_content_stat - -- name: Check if media store contains remote_content - stat: - path: "{{ server_path_media_store }}/remote_content" - register: server_path_media_store_remote_content_stat - -- name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: - msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." - when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" - -# Actual import work - -- name: Ensure matrix-dendrite is stopped - service: - name: matrix-dendrite - state: stopped - daemon_reload: yes - register: stopping_result - -# This can only work with local files, not if the media store is on Amazon S3, -# as it won't be accessible in such a case. -- name: Ensure provided media store directory is synchronized - synchronize: - src: "{{ server_path_media_store }}/" - dest: "{{ matrix_dendrite_media_store_path }}" - delete: yes - # It's wasteful to preserve owner/group now. We chown below anyway. - owner: no - group: no - times: yes - delegate_to: "{{ inventory_hostname }}" - -# This is for the generic case and fails in other cases (remote file systems), -# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. -- name: Ensure media store permissions are correct (generic case) - file: - path: "{{ matrix_dendrite_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: yes - when: "not matrix_s3_media_store_enabled|bool" - -# We don't chown for Goofys, because due to the way it's mounted, -# all files become owned by whoever needs to own them. - -- name: Ensure Dendrite is started (if it previously was) - service: - name: "{{ item }}" - state: started - daemon_reload: yes - when: "stopping_result.changed" - with_items: - - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index a5237442..6c25f190 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -14,11 +14,6 @@ - setup-all - setup-dendrite -- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_dendrite_import_media_store|bool - tags: - - import-dendrite-media-store - - import_tasks: "{{ role_path }}/tasks/register_user.yml" when: run_dendrite_register_user|bool tags: diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 920ca184..9fa8f566 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -15,5 +15,3 @@ when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 deleted file mode 100644 index fe28779c..00000000 --- a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 +++ /dev/null @@ -1,2682 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# Configuration file for Synapse. -# -# This is a YAML file: see [1] for a quick introduction. Note in particular -# that *indentation is important*: all the elements of a list or dictionary -# should have the same indentation. -# -# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - -## Server ## - -# The public-facing domain of the server -# -# The server_name name will appear at the end of usernames and room addresses -# created on this server. For example if the server_name was example.com, -# usernames on this server would be in the format @user:example.com -# -# In most cases you should avoid using a matrix specific subdomain such as -# matrix.example.com or synapse.example.com as the server_name for the same -# reasons you wouldn't use user@email.example.com as your email address. -# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md -# for information on how to host Synapse on a subdomain while preserving -# a clean server_name. -# -# The server_name cannot be changed later so it is important to -# configure this correctly before you start Synapse. It should be all -# lowercase and may contain an explicit port. -# Examples: matrix.org, localhost:8080 -# -server_name: "{{ matrix_domain }}" - -# When running as a daemon, the file to store the pid in -# -pid_file: /homeserver.pid - -# The absolute URL to the web client which /_matrix/client will redirect -# to if 'webclient' is configured under the 'listeners' configuration. -# -# This option can be also set to the filesystem path to the web client -# which will be served at /_matrix/client/ if 'webclient' is configured -# under the 'listeners' configuration, however this is a security risk: -# https://github.com/matrix-org/synapse#security-note -# -#web_client_location: https://riot.example.com/ - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# -public_baseurl: https://{{ matrix_server_fqn_matrix }}/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -# -use_presence: {{ matrix_synapse_use_presence|to_json }} - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -# -#require_auth_for_profile_requests: true - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -#limit_profile_requests_to_users_who_share_rooms: true - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -default_room_version: {{ matrix_synapse_default_room_version|to_json }} - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is 100. -1 means no upper limit. -# -# Uncomment the following to increase the limit to 5000. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: True - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Prevent outgoing requests from being sent to the following blacklisted IP address -# CIDR ranges. If this option is not specified then it defaults to private IP -# address ranges (see the example below). -# -# The blacklist applies to the outbound requests for federation, identity servers, -# push servers, and for checking key validity for third-party invite events. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. -# -#ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '192.0.0.0/24' -# - '169.254.0.0/16' -# - '198.18.0.0/15' -# - '192.0.2.0/24' -# - '198.51.100.0/24' -# - '203.0.113.0/24' -# - '224.0.0.0/4' -# - '::1/128' -# - 'fe80::/10' -# - 'fc00::/7' - -# List of IP address CIDR ranges that should be allowed for federation, -# identity servers, push servers, and for checking key validity for -# third-party invite events. This is useful for specifying exceptions to -# wide-ranging blacklisted target IP ranges - e.g. for communication with -# a push server only visible in your network. -# -# This whitelist overrides ip_range_blacklist and defaults to an empty -# list. -# -#ip_range_whitelist: -# - '192.168.1.1' - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP compression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: -{% if matrix_synapse_metrics_enabled %} - - type: metrics - port: {{ matrix_synapse_metrics_port }} - bind_addresses: - - '0.0.0.0' -{% endif %} - -{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: 8448 - tls: true - bind_addresses: ['::'] - type: http - x_forwarded: false - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - - # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8008 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_http_listener_resource_names|to_json }} - compress: false - -{% if matrix_synapse_federation_port_enabled %} - # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8048 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - -{% if matrix_synapse_manhole_enabled %} - # Turn on the twisted ssh manhole service on localhost on the given - # port. - - port: 9000 - bind_addresses: ['0.0.0.0'] - type: manhole -{% endif %} - - -# Forward extremities can build up in a room due to networking delays between -# homeservers. Once this happens in a large room, calculation of the state of -# that room can become quite expensive. To mitigate this, once the number of -# forward extremities reaches a given threshold, Synapse will send an -# org.matrix.dummy_event event, which will reduce the forward extremities -# in the room. -# -# This setting defines the threshold (i.e. number of forward extremities in the -# room) at which dummy events are sent. The default value is 10. -# -#dummy_events_threshold: 5 - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -#admin_contact: 'mailto:admin@server.com' - -# Global blocking -# -#hs_disabled: False -#hs_disabled_message: 'Human readable reason for why the HS is blocked' -#hs_disabled_limit_type: 'error code(str), to help clients decode reason' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# enabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -#limit_usage_by_mau: False -#max_mau_value: 50 -#mau_trial_days: 2 - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: False - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# -limit_remote_rooms: - # Uncomment to enable room complexity checking. - # - #enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # - #complexity: 0.5 - - # override the error which is returned when the room is too complex. - # - #complexity_error: "This room is too complex." - - # allow server admins to join complex rooms. Default is false. - # - #admins_can_join: true - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, and the state of a room contains a - # 'm.room.retention' event in its state which contains a 'min_lifetime' or a - # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy - # to these limits when running purge jobs. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - # If any purge job is configured, it is strongly recommended to have at least - # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' - # set, or one job without 'shortest_max_lifetime' and one job without - # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if - # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a - # room's policy to these values is done after the policies are retrieved from - # Synapse's database (which is done using the range specified in a purge job's - # configuration). - # - #purge_jobs: - # - longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # interval: 1d - -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - -# A list of domains that the domain portion of 'next_link' parameters -# must match. -# -# This parameter is optionally provided by clients while requesting -# validation of an email or phone number, and maps to a link that -# users will be automatically redirected to after validation -# succeeds. Clients can make use this parameter to aid the validation -# process. -# -# The whitelist is applied whether the homeserver or an -# identity server is handling validation. -# -# The default value is no whitelist functionality; all domains are -# allowed. Setting this value to an empty list will instead disallow -# all domains. -# -#next_link_domain_whitelist: ["matrix.org"] - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). -# -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} - -# PEM-encoded private key for TLS -# -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # (and tls_certificate_path and tls_private_key_path above) to enable it. - # - #enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - #port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - #bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - #reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - #domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - #account_key_file: /data/acme_account.key - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - - -## Federation ## - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com -{% if matrix_synapse_federation_domain_whitelist is not none %} -{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} -federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} -{% endif %} - -# Report prometheus metrics on the age of PDUs being sent to and received from -# the following domains. This can be used to give an idea of "delay" on inbound -# and outbound federation, though be aware that any delay can be due to problems -# at either end or with the intermediate network. -# -# By default, no domains are monitored in this way. -# -#federation_metrics_domains: -# - matrix.org -# - example.com - - -## Caching ## - -# Caching can be configured through the following options. -# -# A cache 'factor' is a multiplier that can be applied to each of -# Synapse's caches in order to increase or decrease the maximum -# number of entries that can be stored. - -# The number of events to cache in memory. Not affected by -# caches.global_factor. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - -caches: - # Controls the global cache factor, which is the default cache factor - # for all caches if a specific factor for that cache is not otherwise - # set. - # - # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment - # variable. Setting by environment variable takes priority over - # setting through the config file. - # - # Defaults to 0.5, which will half the size of all caches. - # - global_factor: {{ matrix_synapse_caches_global_factor }} - - # A dictionary of cache name to cache factor for that individual - # cache. Overrides the global cache factor for a given cache. - # - # These can also be set through environment variables comprised - # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital - # letters and underscores. Setting by environment variable - # takes priority over setting through the config file. - # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 - # - # Some caches have '*' and other characters that are not - # alphanumeric or underscores. These caches can be named with or - # without the special characters stripped. For example, to specify - # the cache factor for `*stateGroupCache*` via an environment - # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. - # - per_cache_factors: - #get_users_who_share_room_with_user: 2.0 - - -## Database ## - -database: - # The database engine name - name: "psycopg2" - args: - user: {{ matrix_synapse_database_user|string|to_json }} - password: {{ matrix_synapse_database_password|string|to_json }} - database: "{{ matrix_synapse_database_database }}" - host: "{{ matrix_synapse_database_host }}" - cp_min: 5 - cp_max: 10 - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# - two for ratelimiting number of rooms a user can join, "local" for when -# users are joining rooms the server is already in (this is cheap) vs -# "remote" for when users are trying to join rooms not on the server (which -# can be more expensive) -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -rc_message: {{ matrix_synapse_rc_message|to_json }} -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -rc_registration: {{ matrix_synapse_rc_registration|to_json }} -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -rc_login: {{ matrix_synapse_rc_login|to_json }} -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 -# -#rc_joins: -# local: -# per_second: 0.1 -# burst_count: 3 -# remote: -# per_second: 0.01 -# burst_count: 3 - - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 -rc_federation: {{ matrix_synapse_rc_federation|to_json }} - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 -federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} - - - -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to store newly uploaded local files -# store_local: false -# # Whether to store newly downloaded remote files -# store_remote: false -# # Whether to wait for successful storage for local uploads -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale - -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -#url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -max_spider_size: 10M - -# A list of values for the Accept-Language HTTP header used when -# downloading webpages during URL preview generation. This allows -# Synapse to specify the preferred languages that URL previews should -# be in when communicating with remote servers. -# -# Each value is a IETF language tag; a 2-3 letter identifier for a -# language, optionally followed by subtags separated by '-', specifying -# a country or region variant. -# -# Multiple values can be provided, and a weight can be added to each by -# using quality value syntax (;q=). '*' translates to any language. -# -# Defaults to "en". -# -# Example: -# -# url_preview_accept_language: -# - en-UK -# - en-US;q=0.9 -# - fr;q=0.8 -# - *;q=0.7 -# -url_preview_accept_language: -# - en - - -## Captcha ## -# See docs/CAPTCHA_SETUP.md for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} - -# This homeserver's ReCAPTCHA private key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} - -# Uncomment to enable ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. Defaults to 'false'. -# -enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} - -# The API endpoint to use for verifying m.login.recaptcha responses. -# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". -# -#recaptcha_siteverify_api: "https://my.recaptcha.site" - - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -turn_uris: {{ matrix_synapse_turn_uris|to_json }} - -# The shared secret used to compute passwords for the TURN server -# -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: {{ matrix_synapse_enable_registration|to_json }} - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn -{% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} -{% endif %} - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} -{% endif %} - -# Enable 3PIDs lookup requests to identity servers from this server. -# -#enable_3pid_lookup: true - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless, and users will not be able to associate an msisdn -# identifier to their account. This is due to Synapse currently not supporting -# any method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} - msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} - -# Whether users are allowed to change their displayname after it has -# been initially set. Useful when provisioning users based on the -# contents of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_displayname: false - -# Whether users are allowed to change their avatar after it has been -# initially set. Useful when provisioning users based on the contents -# of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_avatar_url: false - -# Whether users can change the 3PIDs associated with their accounts -# (email address and msisdn). -# -# Defaults to 'true' -# -#enable_3pid_changes: false - -# Users who register on this homeserver will automatically be joined -# to these rooms. -# -# By default, any room aliases included in this list will be created -# as a publicly joinable room when the first user registers for the -# homeserver. This behaviour can be customised with the settings below. -# -#auto_join_rooms: -# - "#example:example.com" -{% if matrix_synapse_auto_join_rooms|length > 0 %} -auto_join_rooms: -{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} -{% endif %} - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# -# By default the auto-created rooms are publicly joinable from any federated -# server. Use the autocreate_auto_join_rooms_federated and -# autocreate_auto_join_room_preset settings below to customise this behaviour. -# -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -# Defaults to true. Uncomment the following line to disable automatically -# creating auto-join rooms. -# -autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} - -# Whether the auto_join_rooms that are auto-created are available via -# federation. Only has an effect if autocreate_auto_join_rooms is true. -# -# Note that whether a room is federated cannot be modified after -# creation. -# -# Defaults to true: the room will be joinable from other servers. -# Uncomment the following to prevent users from other homeservers from -# joining these rooms. -# -#autocreate_auto_join_rooms_federated: false - -# The room preset to use when auto-creating one of auto_join_rooms. Only has an -# effect if autocreate_auto_join_rooms is true. -# -# This can be one of "public_chat", "private_chat", or "trusted_private_chat". -# If a value of "private_chat" or "trusted_private_chat" is used then -# auto_join_mxid_localpart must also be configured. -# -# Defaults to "public_chat", meaning that the room is joinable by anyone, including -# federated servers if autocreate_auto_join_rooms_federated is true (the default). -# Uncomment the following to require an invitation to join these rooms. -# -#autocreate_auto_join_room_preset: private_chat - -# The local part of the user id which is used to create auto_join_rooms if -# autocreate_auto_join_rooms is true. If this is not provided then the -# initial user account that registers will be used to create the rooms. -# -# The user id is also used to invite new users to any auto-join rooms which -# are set to invite-only. -# -# It *must* be configured if autocreate_auto_join_room_preset is set to -# "private_chat" or "trusted_private_chat". -# -# Note that this must be specified in order for new users to be correctly -# invited to any auto-join rooms which have been set to invite-only (either -# at the time of creation or subsequently). -# -# Note that, if the room already exists, this user must be joined and -# have the appropriate permissions to invite new members. -# -#auto_join_mxid_localpart: system - -# When auto_join_rooms is specified, setting this flag to false prevents -# guest accounts from being automatically joined to the rooms. -# -# Defaults to true. -# -#auto_join_rooms_for_guests: false - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -{% if matrix_synapse_sentry_dsn != "" %} -sentry: - dsn: {{ matrix_synapse_sentry_dsn|to_json }} -{% endif %} - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a gauge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -# -report_stats: {{ matrix_synapse_report_stats|to_json }} - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -# -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" - - -# A list of application service config files to use -# -app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: True - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: {{ matrix_synapse_form_secret|string|to_json }} - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} - - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -## Single sign-on integration ## - -# The following settings can be used to make Synapse use a single sign-on -# provider for authentication, instead of its internal password database. -# -# You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# You will also want to investigate the settings under the "sso" configuration -# section below. - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - sp_config: - # Point this to the IdP's metadata. You must provide either a local - # file via the `local` attribute or (preferably) a URL via the - # `remote` attribute. - # - #metadata: - # local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - - # Allowed clock difference in seconds between the homeserver and IdP. - # - # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. - # - #accepted_time_diff: 3 - - # By default, the user has to go to our login page first. If you'd like - # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # 'service.sp' section: - # - #service: - # sp: - # allow_unsolicited: true - - # The examples below are just used to generate our metadata xml, and you - # may well not need them, depending on your setup. Alternatively you - # may need a whole lot more detail - see the pysaml2 docs! - - #description: ["My awesome SP", "en"] - #name: ["Test SP", "en"] - - #ui_info: - # display_name: - # - lang: en - # text: "Display Name is the descriptive name of your service." - # description: - # - lang: en - # text: "Description should be a short paragraph explaining the purpose of the service." - # information_url: - # - lang: en - # text: "https://example.com/terms-of-service" - # privacy_statement_url: - # - lang: en - # text: "https://example.com/privacy-policy" - # keywords: - # - lang: en - # text: ["Matrix", "Element"] - # logo: - # - lang: en - # text: "https://example.com/logo.svg" - # width: "200" - # height: "80" - - #organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - - #contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/data/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 15 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - # It is possible to configure Synapse to only allow logins if SAML attributes - # match particular values. The requirements can be listed under - # `attribute_requirements` as shown below. All of the listed attributes must - # match for the login to be permitted. - # - #attribute_requirements: - # - attribute: userGroup - # value: "staff" - # - attribute: department - # value: "sales" - - # If the metadata XML contains multiple IdP entities then the `idp_entityid` - # option must be set to the entity to redirect users to. - # - # Most deployments only have a single IdP entity and so should omit this - # option. - # - #idp_entityid: 'https://our_idp/entityid' - - -# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md -# for some example configurations. -# -oidc_config: - # Uncomment the following to enable authorization against an OpenID Connect - # server. Defaults to false. - # - #enabled: true - - # Uncomment the following to disable use of the OIDC discovery mechanism to - # discover endpoints. Defaults to true. - # - #discover: false - - # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to - # discover the provider's endpoints. - # - # Required if 'enabled' is true. - # - #issuer: "https://accounts.example.com/" - - # oauth2 client id to use. - # - # Required if 'enabled' is true. - # - #client_id: "provided-by-your-issuer" - - # oauth2 client secret to use. - # - # Required if 'enabled' is true. - # - #client_secret: "provided-by-your-issuer" - - # auth method to use when exchanging the token. - # Valid values are 'client_secret_basic' (default), 'client_secret_post' and - # 'none'. - # - #client_auth_method: client_secret_post - - # list of scopes to request. This should normally include the "openid" scope. - # Defaults to ["openid"]. - # - #scopes: ["openid", "profile"] - - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" - - # the OIDC userinfo endpoint. Required if discovery is disabled and the - # "openid" scope is not requested. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" - - # URI where to fetch the JWKS. Required if discovery is disabled and the - # "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - - # Uncomment to skip metadata verification. Defaults to false. - # - # Use this if you are connecting to a provider that is not OpenID Connect - # compliant. - # Avoid this in production. - # - #skip_verification: true - - # Whether to fetch the user profile from the userinfo endpoint. Valid - # values are: "auto" or "userinfo_endpoint". - # - # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included - # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. - # - #user_profile_method: "userinfo_endpoint" - - # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead - # of failing. This could be used if switching from password logins to OIDC. Defaults to false. - # - #allow_existing_users: true - - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. - # - # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers - # for information on implementing a custom mapping provider. - # - #module: mapping_provider.OidcMappingProvider - - # Custom configuration values for the module. This section will be passed as - # a Python dictionary to the user mapping provider module's `parse_config` - # method. - # - # The examples below are intended for the default provider: they should be - # changed if using a custom provider. - # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID. - # - # When rendering, this template is given the following variables: - # * user: The claims returned by the UserInfo Endpoint and/or in the ID - # Token - # - # If this is not set, the user will be prompted to choose their - # own username. - # - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - - # Jinja2 template for the display name to set on first login. - # - # If unset, no displayname will be set. - # - #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" - - # Jinja2 templates for extra attributes to send back to the client during - # login. - # - # Note that these are non-standard and clients will ignore them without modifications. - # - #extra_attributes: - #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" - - - -# Enable Central Authentication Service (CAS) for registration and login. -# -cas_config: - # Uncomment the following to enable authorization against a CAS server. - # Defaults to false. - # - #enabled: true - - # The URL of the CAS authorization endpoint. - # - #server_url: "https://cas-server.com" - - # The public URL of the homeserver. - # - #service_url: "https://homeserver.domain.com:8448" - - # The attribute of the CAS response to use as the display name. - # - # If unset, no displayname will be set. - # - #displayname_attribute: name - - # It is possible to configure Synapse to only allow logins if CAS attributes - # match particular values. All of the keys in the mapping below must exist - # and the values must match the given value. Alternately if the given value - # is None then any value is allowed (the attribute just must exist). - # All of the listed attributes must match for the login to be permitted. - # - #required_attributes: - # userGroup: "staff" - # department: None - - -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. - # - # By default, this list is empty. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. - # - # When rendering, this template is given three variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. Needs manual escaping - # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * server_name: the homeserver's name. - # - # * HTML page which notifies the user that they are authenticating to confirm - # an operation on their account during the user interactive authentication - # process: 'sso_auth_confirm.html'. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * description: the operation which the user is being asked to confirm - # - # * HTML page shown after a successful user interactive authentication session: - # 'sso_auth_success.html'. - # - # Note that this page must include the JavaScript which notifies of a successful authentication - # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). - # - # This template has no additional variables. - # - # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) - # attempts to login: 'sso_account_deactivated.html'. - # - # This template has no additional variables. - # - # * HTML page to display to users if something goes wrong during the - # OpenID Connect authentication process: 'sso_error.html'. - # - # When rendering, this template is given two variables: - # * error: the technical name of the error - # * error_description: a human-readable message for the error - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# JSON web token integration. The following settings can be used to make -# Synapse JSON web tokens for authentication, instead of its internal -# password database. -# -# Each JSON Web Token needs to contain a "sub" (subject) claim, which is -# used as the localpart of the mxid. -# -# Additionally, the expiration time ("exp"), not before time ("nbf"), -# and issued at ("iat") claims are validated if present. -# -# Note that this is a non-standard login type and client support is -# expected to be non-existent. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. -# -#jwt_config: - # Uncomment the following to enable authorization using JSON web - # tokens. Defaults to false. - # - #enabled: true - - # This is either the private shared secret or the public key used to - # decode the contents of the JSON web token. - # - # Required if 'enabled' is true. - # - #secret: "provided-by-your-issuer" - - # The algorithm used to sign the JSON web token. - # - # Supported algorithms are listed at - # https://pyjwt.readthedocs.io/en/latest/algorithms.html - # - # Required if 'enabled' is true. - # - #algorithm: "provided-by-your-issuer" - - # The issuer to validate the "iss" claim against. - # - # Optional, if provided the "iss" claim will be required and - # validated for all JSON web tokens. - # - #issuer: "provided-by-your-issuer" - - # A list of audiences to validate the "aud" claim against. - # - # Optional, if provided the "aud" claim will be required and - # validated for all JSON web tokens. - # - # Note that if the "aud" claim is included in a JSON web token then - # validation will fail without configuring audiences. - # - #audiences: - # - "provided-by-your-issuer" - - -password_config: - # Uncomment to disable password login - # - #enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - - # Define and enforce a password policy. Each parameter is optional. - # This is an implementation of MSC2000. - # - policy: - # Whether to enforce the password policy. - # Defaults to 'false'. - # - #enabled: true - - # Minimum accepted length for a password. - # Defaults to 0. - # - #minimum_length: 15 - - # Whether a password must contain at least one digit. - # Defaults to 'false'. - # - #require_digit: true - - # Whether a password must contain at least one symbol. - # A symbol is any character that's not a number or a letter. - # Defaults to 'false'. - # - #require_symbol: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_lowercase: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_uppercase: true - -ui_auth: - # The number of milliseconds to allow a user-interactive authentication - # session to be active. - # - # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to alow a single - # validation to be re-used. This weakens the protections afforded by - # the user-interactive authentication process, by allowing for multiple - # (and potentially different) operations to use the same validation session. - # - # Uncomment below to allow for credential validation to last for 15 - # seconds. - # - #session_timeout: 15000 - - -{% if matrix_synapse_email_enabled %} -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - - # Enable sending emails for messages that the user has missed - # - #enable_notifs: false - enable_notifs: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - - # app_name defines the default value for '%(app)s' in notif_from and email - # subjects. It defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - app_name: Matrix - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - notif_for_new_users: True - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * An HTML page that a user will see when they follow the link in the password - # reset email. The user will be asked to confirm the action before their - # password is reset: 'password_reset_confirmation.html' - # - # * HTML pages for success and failure that a user will see when they confirm - # the password reset flow using the page above: 'password_reset_success.html' - # and 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - # Subjects to use when sending emails from Synapse. - # - # The placeholder '%(app)s' will be replaced with the value of the 'app_name' - # setting above, or by a value dictated by the Matrix client application. - # - # If a subject isn't overridden in this configuration file, the value used as - # its example will be used. - # - #subjects: - - # Subjects for notification emails. - # - # On top of the '%(app)s' placeholder, these can use the following - # placeholders: - # - # * '%(person)s', which will be replaced by the display name of the user(s) - # that sent the message(s), e.g. "Alice and Bob". - # * '%(room)s', which will be replaced by the name of the room the - # message(s) have been sent to, e.g. "My super room". - # - # See the example provided for each setting to see which placeholder can be - # used and how to use them. - # - # Subject to use to notify about one message from one or more user(s) in a - # room which has a name. - #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." - # - # Subject to use to notify about one message from one or more user(s) in a - # room which doesn't have a name. - #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages from one or more users in - # a room which doesn't have a name. - #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages in a room which has a - # name. - #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." - # - # Subject to use to notify about multiple messages in multiple rooms. - #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." - # - # Subject to use to notify about multiple messages from multiple persons in - # multiple rooms. This is similar to the setting above except it's used when - # the room in which the notification was triggered has no name. - #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." - # - # Subject to use to notify about an invite to a room which has a name. - #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." - # - # Subject to use to notify about an invite to a room which doesn't have a - # name. - #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." - - # Subject for emails related to account administration. - # - # On top of the '%(app)s' placeholder, these one can use the - # '%(server_name)s' placeholder, which will be replaced by the value of the - # 'server_name' setting in your Synapse configuration. - # - # Subject to use when sending a password reset email. - #password_reset: "[%(server_name)s] Password reset" - # - # Subject to use when sending a verification email to assert an address's - # ownership. - #email_validation: "[%(server_name)s] Validate your email" -{% endif %} - -# Password providers allow homeserver administrators to integrate -# their Synapse installation with existing authentication methods -# ex. LDAP, external tokens, etc. -# -# For more information and known implementations, please see -# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md -# -# Note: instances wishing to use SAML or CAS authentication should -# instead use the `saml2_config` or `cas_config` options, -# respectively. -# -# password_providers: -# # Example config for an LDAP auth provider -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" -{% if matrix_synapse_password_providers_enabled %} -password_providers: -{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} -{% endif %} -{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - - module: "rest_auth_provider.RestAuthProvider" - config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} - policy: - registration: - username: - enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} - login: - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} -{% endif %} -{% if matrix_synapse_ext_password_provider_ldap_enabled %} - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} -{% endif %} -{% endif %} - - -## Push ## - -push: - # Clients requesting push notifications can either have the body of - # the message sent in the notification poke along with other details - # like the sender, or just the event ID and room ID (`event_id_only`). - # If clients choose the former, this option controls whether the - # notification request includes the content of the event (other details - # like the sender are still included). For `event_id_only` push, it - # has no effect. - # - # For modern android devices the notification content will still appear - # because it is loaded by the app. iPhone, however will send a - # notification saying only that a message arrived and who it came from. - # - # The default value is "true" to include message details. Uncomment to only - # include the event ID and room ID in push notification payloads. - # - include_content: {{ matrix_synapse_push_include_content|to_json }} - - # When a push notification is received, an unread count is also sent. - # This number can either be calculated as the number of unread messages - # for the user, or the number of *rooms* the user has unread messages in. - # - # The default value is "true", meaning push clients will see the number of - # rooms with unread messages in them. Uncomment to instead send the number - # of unread messages. - # - #group_unread_count_by_room: false - - -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -# spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] -spam_checker: {{ matrix_synapse_spam_checker|to_json }} - - -## Rooms ## - -# Controls whether locally-created rooms should be end-to-end encrypted by -# default. -# -# Possible options are "all", "invite", and "off". They are defined as: -# -# * "all": any locally-created room -# * "invite": any room created with the "private_chat" or "trusted_private_chat" -# room creation presets -# * "off": this option will take no effect -# -# The default value is "off". -# -# Note that this option will only affect rooms created after it is set. It -# will also not affect rooms created by other servers. -# -#encryption_enabled_by_default_for_room_type: invite - - -# Uncomment to allow non-server-admin users to create groups on this server -# -enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial_" - - - -# User Directory configuration -# -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy -# - - - -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# -# -#stats: -# enabled: true -# bucket_size: 1d -# retention: 1y - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By default, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - - # Logging whether spans were started and reported - # - # logging: - # false - - -## Workers ## - -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false - -# It is possible to run multiple federation sender workers, in which case the -# work is balanced across them. -# -# This configuration must be shared between all federation sender workers, and if -# changed all federation sender workers must be stopped at the same time and then -# started, to ensure that all instances are running with the same config (otherwise -# events may be dropped). -# -#federation_sender_instances: -# - federation_sender1 - -# When using workers this should be a map from `worker_name` to the -# HTTP replication listener of the worker, if configured. -# -#instance_map: -# worker1: -# host: localhost -# port: 8034 - -# Experimental: When using workers you can define which workers should -# handle event persistence and typing notifications. Any worker -# specified here must also be in the `instance_map`. -# -#stream_writers: -# events: worker1 -# typing: worker1 - -# The worker that is used to run background tasks (e.g. cleaning up expired -# data). If not provided this defaults to the main process. -# -#run_background_tasks_on: worker1 - -# A shared secret used by the replication APIs to authenticate HTTP requests -# from workers. -# -# By default this is unused and traffic is not authenticated. -# -#worker_replication_secret: "" - - -# Configuration for Redis when using workers. This *must* be enabled when -# using workers (unless using old style direct TCP configuration). -# -redis: - # Uncomment the below to enable Redis support. - # - #enabled: true - - # Optional host and port to use to connect to redis. Defaults to - # localhost and 6379 - # - #host: localhost - #port: 6379 - - # Optional password if configured on the Redis instance - # - #password: - -# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 deleted file mode 100644 index 2955efdd..00000000 --- a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} -AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 deleted file mode 100644 index 44ec3d4a..00000000 --- a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Goofys media store -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill %n -ExecStartPre=-{{ matrix_host_command_docker }} rm %n - -ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src=/etc/group,dst=/etc/group,ro \ - --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ - --entrypoint /bin/sh \ - {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' - -TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} -Restart=always -RestartSec=5 -SyslogIdentifier=matrix-goofys - -[Install] -WantedBy=multi-user.target From 265d0485979dde74511dc89387b4146d23188353 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:33:19 -0600 Subject: [PATCH 22/71] Upgrade Dendrite (0.3.6 -> 0.3.8) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d231553e..ab472be5 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_tag: "v0.3.8" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From cde2504966ae50c33c8896fbb4ea6f2c4418db07 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Thu, 11 Feb 2021 13:25:56 +1100 Subject: [PATCH 23/71] Upgrade Dendrite (0.3.8 -> 0.3.9) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ab472be5..d6dd7910 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.8" +matrix_dendrite_docker_image_tag: "v0.3.9" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 953a9ac7188d39e05f477efa98201900f6b800b9 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Tue, 6 Apr 2021 09:56:34 +1000 Subject: [PATCH 24/71] Upgrade Dendrite (0.3.9 -> 0.3.11) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d6dd7910..4f7f6a92 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.9" +matrix_dendrite_docker_image_tag: "v0.3.11" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From ccd3dc7a573ad136ecfad1b386fafadc64281213 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 14:14:21 +0300 Subject: [PATCH 25/71] Remove Dendrite file logging We refrain from logging to files for all components, because we rely on systemd-journald anyway. --- roles/matrix-dendrite/defaults/main.yml | 4 ---- .../tasks/dendrite/setup_install.yml | 8 ------- .../templates/dendrite/dendrite.yaml.j2 | 22 ++++++++----------- .../systemd/matrix-dendrite.service.j2 | 1 - .../matrix-dendrite-create-account.j2 | 2 +- 5 files changed, 10 insertions(+), 27 deletions(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 4f7f6a92..1d80e0b0 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -53,10 +53,6 @@ matrix_dendrite_max_file_size_bytes: 10485760 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 -# Log levels -matrix_dendrite_log_level: "warning" -matrix_dendrite_log_path: "/var/log/dendrite" - # Rate limits matrix_dendrite_rate_limiting_enabled: true matrix_dendrite_rate_limiting_threshold: 5 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 182b6c1c..2752d51e 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -17,14 +17,6 @@ group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" -- name: Ensure Dendrite log path exists - file: - path: "{{ matrix_dendrite_log_path }}" - state: directory - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure Dendrite Docker image is pulled docker_image: name: "{{ matrix_dendrite_docker_image }}" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2ec6c088..5a127fb7 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -6,7 +6,7 @@ # # At a minimum, to get started, you will need to update the settings in the # "global" section for your deployment, and you will need to check that the -# database "connection_string" line in each component section is correct. +# database "connection_string" line in each component section is correct. # # Each component with a "database" section can accept the following formats # for "connection_string": @@ -21,13 +21,13 @@ # small number of users and likely will perform worse still with a higher volume # of users. # -# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# The "max_open_conns" and "max_idle_conns" settings configure the maximum # number of open/idle database connections. The value 0 will use the database # engine default, and a negative value will use unlimited connections. The # "conn_max_lifetime" option controls the maximum length of time a database # connection can be idle in seconds - a negative value is unlimited. -# The version of the configuration file. +# The version of the configuration file. version: 1 # Global Matrix configuration. This configuration applies to all components. @@ -133,13 +133,13 @@ client_api: # Whether to require reCAPTCHA for registration. enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} - # Settings for ReCAPTCHA. + # Settings for ReCAPTCHA. recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} recaptcha_bypass_secret: "" recaptcha_siteverify_api: "" - # TURN server information that this homeserver should send to clients. + # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" turn_uris: {{ matrix_dendrite_turn_uris|to_json }} @@ -148,7 +148,7 @@ client_api: turn_password: "" # Settings for rate-limited endpoints. Rate limiting will kick in after the - # threshold number of "slots" have been taken by requests from a specific + # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} @@ -192,7 +192,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -282,7 +282,7 @@ signing_key_server: public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw - key_id: ed25519:a_RXGa public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ - + # This option will control whether Dendrite will prefer to look up keys directly # or whether it should try perspective servers first, using direct fetches as a # last resort. @@ -335,8 +335,4 @@ tracing: # Logging configuration, in addition to the standard logging that is sent to # stdout by Dendrite. -logging: -- type: file - level: {{ matrix_dendrite_log_level }} - params: - path: /var/log/dendrite +logging: [] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 66a7c1f8..b41f6c2c 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -37,7 +37,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ {% for volume in matrix_dendrite_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index ebacb681..d9572ac7 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" From 5b148921a026d72c92ab6e81d83d345926ba0e7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 15:06:29 +0300 Subject: [PATCH 26/71] Upgrade Dendrite (0.3.11 -> 0.5.0) and update configuration This brings dendrite.yaml up to date and cleans things up a bit. --- group_vars/matrix_servers | 8 +- roles/matrix-dendrite/defaults/main.yml | 9 ++- .../tasks/dendrite/setup_install.yml | 2 +- .../matrix-dendrite/tasks/validate_config.yml | 3 +- .../templates/dendrite/dendrite.yaml.j2 | 73 ++++++++++++++++--- 5 files changed, 77 insertions(+), 18 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18351f32..51d7dee4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1548,6 +1548,10 @@ matrix_postgres_additional_databases: | 'name': matrix_dendrite_device_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mscs_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + ([{ @@ -2184,7 +2188,9 @@ matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_prox # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1d80e0b0..e8e307ed 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.11" +matrix_dendrite_docker_image_tag: "v0.5.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" @@ -43,10 +43,10 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_macaroon_secret_key: "" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +# A secret used to derive various other secrets +matrix_dendrite_generic_secret_key: '' +matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false -matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" matrix_dendrite_max_file_size_bytes: 10485760 @@ -101,6 +101,7 @@ matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" matrix_dendrite_syncapi_database: "dendrite_syncapi" matrix_dendrite_account_database: "dendrite_account" matrix_dendrite_device_database: "dendrite_device" +matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2752d51e..2e319e17 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -36,7 +36,7 @@ command: | docker run --rm - --name=matrix-config + --name=matrix-dendrite-config --entrypoint=generate-keys --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 8c7ee4d2..9e7db426 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,8 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_macaroon_secret_key" + - "matrix_dendrite_generic_secret_key" + - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings fail: diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 5a127fb7..f5744dd5 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -33,9 +33,11 @@ version: 1 # Global Matrix configuration. This configuration applies to all components. global: # The domain name of this homeserver. - server_name: {{ matrix_domain }} + server_name: {{ matrix_domain|to_json }} # The path to the signing private key file, used to sign requests and events. + # Note that this is NOT the same private key as used for TLS! To generate a + # signing key, use "./bin/generate-keys --private-key matrix_key.pem". private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) @@ -52,16 +54,23 @@ global: # considered valid by other homeservers. key_validity_period: 168h0m0s + # The server name to delegate server-server communications to, with optional port + # e.g. localhost:443 + well_known_server_name: "" + # Lists of domains that the server will trust as identity servers to verify third # party identifiers such as phone numbers and email addresses. trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + # Disables federation. Dendrite will not be able to make any outbound HTTP requests + # to other servers and the federation API will not be exposed. + disable_federation: false + # Configuration for Kafka/Naffka. kafka: # List of Kafka broker addresses to connect to. This is not needed if using # Naffka in monolith mode. - addresses: - - kafka:9092 + addresses: [] # The prefix to use for Kafka topic names for this homeserver. Change this only if # you are running more than one Dendrite homeserver on the same Kafka deployment. @@ -72,6 +81,12 @@ global: # Kafka. use_naffka: true + # The max size a Kafka message is allowed to use. + # You only need to change this value, if you encounter issues with too large messages. + # Must be less than/equal to "max.message.bytes" configured in Kafka. + # Defaults to 8388608 bytes. + # max_message_bytes: 8388608 + # Naffka database options. Not required when using Kafka. naffka_database: connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable @@ -82,12 +97,12 @@ global: # Configuration for Prometheus metric collection. metrics: # Whether or not Prometheus metrics are enabled. - enabled: {{ matrix_dendrite_metrics_enabled }} + enabled: {{ matrix_dendrite_metrics_enabled|to_json }} # HTTP basic authentication to protect access to monitoring. basic_auth: - username: {{ matrix_dendrite_metrics_username }} - password: {{ matrix_dendrite_metrics_password }} + username: {{ matrix_dendrite_metrics_username|to_json }} + password: {{ matrix_dendrite_metrics_password|to_json }} # DNS cache options. The DNS cache may reduce the load on DNS servers # if there is no local caching resolver available for use. @@ -98,7 +113,7 @@ global: # Maximum number of entries to hold in the DNS cache, and # for how long those items should be considered valid in seconds. cache_size: 256 - cache_lifetime: 300 + cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more # Configuration for the Appservice API. app_service_api: @@ -111,6 +126,11 @@ app_service_api: max_idle_conns: 2 conn_max_lifetime: -1 + # Disable the validation of TLS certificates of appservices. This is + # not recommended in production since it may allow appservice traffic + # to be sent to an unverified endpoint. + disable_tls_validation: false + # Appservice configuration files to load into this homeserver. config_files: {{ matrix_dendrite_app_service_config_files|to_json }} @@ -192,7 +212,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -229,8 +249,9 @@ media_api: base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" # The maximum allowed file size (in bytes) for media uploads to this homeserver - # (0 = unlimited). - max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + # (0 = unlimited). If using a reverse proxy, ensure it allows requests at + # least this large (e.g. client_max_body_size in nginx.) + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. dynamic_thumbnails: false @@ -250,6 +271,19 @@ media_api: height: 480 method: scale +# Configuration for experimental MSC's +mscs: + # A list of enabled MSC's + # Currently valid values are: + # - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836) + # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946) + mscs: [] + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable + max_open_conns: 5 + max_idle_conns: 2 + conn_max_lifetime: -1 + # Configuration for the Room Server. room_server: internal_api: @@ -261,7 +295,7 @@ room_server: max_idle_conns: 2 conn_max_lifetime: -1 -# Configuration for the Server Key API (for server signing keys). +# Configuration for the Signing Key Server (for server signing keys). signing_key_server: internal_api: listen: http://0.0.0.0:7780 @@ -301,8 +335,20 @@ sync_api: max_idle_conns: 2 conn_max_lifetime: -1 + # This option controls which HTTP header to inspect to find the real remote IP + # address of the client. This is likely required if Dendrite is running behind + # a reverse proxy server. + # real_ip_header: X-Real-IP + # Configuration for the User API. user_api: + # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31 + # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information. + # Setting this lower makes registration/login consume less CPU resources at the cost of security + # should the database be compromised. Setting this higher makes registration/login consume more + # CPU resources but makes it harder to brute force password hashes. + # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds) + # bcrypt_cost: 10 internal_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 @@ -316,6 +362,11 @@ user_api: max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 + # The length of time that a token issued for a relying party from + # /_matrix/client/r0/user/{userId}/openid/request_token endpoint + # is considered to be valid in milliseconds. + # The default lifetime is 3600000ms (60 minutes). + # openid_token_lifetime_ms: 3600000 # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on From b2b62b722154c921bfb114a5dffc999149725d9c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Nov 2021 17:51:05 +0200 Subject: [PATCH 27/71] Add a variable to control Dendrite's disable_federation setting --- roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index e8e307ed..61e5f710 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -114,6 +114,10 @@ matrix_dendrite_trusted_id_servers: - "matrix.org" - "vector.im" +# Controls whether Dendrite will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_dendrite_disable_federation: false + # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index f5744dd5..2559be15 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: false + disable_federation: {{ matrix_dendrite_disable_federation|to_json }} # Configuration for Kafka/Naffka. kafka: From 63968cb04f5c375ff3e2e13417bcb5b2e31cb919 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:17:34 +0200 Subject: [PATCH 28/71] Upgrade Dendrite (0.5.0 -> 0.5.1) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 61e5f710..1c1e7596 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.5.0" +matrix_dendrite_docker_image_tag: "v0.5.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 3cf9f87097940c13a7839c050a40c58cbbc4facd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 19:00:17 +0200 Subject: [PATCH 29/71] Add matrix_homeserver_implementation, tracking the current homeserver implementation The goal is to have a single variable which tells us which homeserver software is in use. Much simpler than having if/elif/elif checks for variables like (`matrix_synapse_enabled` and `matrix_dendrite_enabled`, etc.) everywhere. --- group_vars/matrix_servers | 11 +++++++++++ roles/matrix-base/defaults/main.yml | 7 +++++++ roles/matrix-base/tasks/sanity_check.yml | 11 +++++++++++ roles/matrix-base/vars/main.yml | 2 +- 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 51d7dee4..b40d6298 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,6 +17,17 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### +matrix_homeserver_enabled_implementations_list: | + {{ + ( + (['synapse'] if matrix_synapse_enabled else []) + + + (['dendrite'] if matrix_dendrite_enabled else []) + ) + }} + +matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" + matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9b137bae..9fc14e8a 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -7,6 +7,13 @@ # Example value: example.com matrix_domain: ~ +# This will contain the homeserver implementation that is in use. +# Example values: 'synapse', 'dendrite', etc. +# You normally don't need to set this variable manually. +# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables +# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) +matrix_homeserver_implementation: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 265dc282..1e525b80 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,5 +1,16 @@ --- +- name: Fail if 0 or more than 1 homeserver implementations enabled + fail: + msg: >- + You have 0 or more than 1 homeserver implementations enabled + ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). + + If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. + + If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). + when: "matrix_homeserver_enabled_implementations_list|length != 1" + # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 fail: diff --git a/roles/matrix-base/vars/main.yml b/roles/matrix-base/vars/main.yml index e4e9c166..8b99708b 100644 --- a/roles/matrix-base/vars/main.yml +++ b/roles/matrix-base/vars/main.yml @@ -1,3 +1,3 @@ # This will contain a list of enabled services that the playbook is managing. # Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] \ No newline at end of file +matrix_systemd_services_list: [] From 2f57c5173347584ea2e07e2472656b5e0beca57d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:38:00 +0200 Subject: [PATCH 30/71] Remove useless check Since 025a5ab5e5f6bdb3, we do a similar check in matrix-base. --- roles/matrix-dendrite/tasks/init.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 8457c63d..28709469 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -5,8 +5,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -- name: Fail when using also using Synapse - fail: - msg: "To use Dendrite as your matrix server, you should disable Synapse." - when: "matrix_dendrite_enabled and matrix_synapse_enabled" From ecc237bbad4b21edce37faba67864a36fde5a5cb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:50:44 +0200 Subject: [PATCH 31/71] Initial work on getting nginx reverse proxying working with Dendrite --- group_vars/matrix_servers | 30 +++++++-- roles/matrix-dendrite/defaults/main.yml | 14 +++- .../tasks/dendrite/setup_install.yml | 2 +- roles/matrix-dendrite/tasks/main.yml | 4 +- .../tasks/self_check_client_api.yml | 4 +- .../tasks/self_check_federation_api.yml | 7 +- .../templates/dendrite/dendrite.yaml.j2 | 2 +- .../systemd/matrix-dendrite.service.j2 | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 25 ++++--- .../tasks/setup_nginx_proxy.yml | 13 ++++ .../nginx/conf.d/matrix-dendrite.conf.j2 | 67 +++++++++++++++++++ 11 files changed, 143 insertions(+), 28 deletions(-) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b40d6298..587ef243 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1365,7 +1365,13 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- + {{ + { + 'synapse': matrix_synapse_max_upload_size_mb, + 'dendrite': (matrix_dendrite_max_file_size_bytes / 1024 / 1024) | round, + }[matrix_homeserver_implementation]|int + }} matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" @@ -1391,19 +1397,29 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- + {{ + { + 'synapse': (matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled), + 'dendrite': matrix_dendrite_federation_enabled, + }[matrix_homeserver_implementation]|bool + }} + matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" -# Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" - matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" - +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" + # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2221,6 +2237,8 @@ matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1c1e7596..11952ce7 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,6 +14,15 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" +matrix_dendrite_container_http_bind_port: 8008 + +# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" + +# Dendrite monolith exposes both the Client API and the Federation API on the same port +matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" +matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" + # Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -116,7 +125,10 @@ matrix_dendrite_trusted_id_servers: # Controls whether Dendrite will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. -matrix_dendrite_disable_federation: false +matrix_dendrite_federation_enabled: true + +# Controls whether the self-check feature should validate SSL certificates. +matrix_dendrite_self_check_validate_certificates: true # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2e319e17..3e3b2199 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -68,7 +68,7 @@ - name: Ensure systemd reloaded after matrix-dendrite.service installation service: daemon_reload: yes - when: "matrix_dendrite_systemd_service_result.changed" + when: "matrix_dendrite_systemd_service_result.changed|bool" - name: Ensure matrix-dendrite-create-account script created template: diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index 6c25f190..e44134a5 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -22,14 +22,14 @@ - import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check - import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml index d3fb1f0d..7c2f6b5e 100644 --- a/roles/matrix-dendrite/tasks/self_check_client_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -7,14 +7,12 @@ register: result_matrix_dendrite_client_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Client API not working fail: msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" - when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + when: "(result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" - name: Report working Matrix Client API debug: msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" - when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml index f11601d7..a7c60a67 100644 --- a/roles/matrix-dendrite/tasks/self_check_federation_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -7,19 +7,18 @@ register: result_matrix_dendrite_federation_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Federation API not working fail: msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + when: "matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" - name: Fail if Matrix Federation API unexpectedly enabled fail: msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." - when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + when: "not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" - name: Report working Matrix Federation API debug: msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" + when: "matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2559be15..c512904e 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: {{ matrix_dendrite_disable_federation|to_json }} + disable_federation: {{ (not matrix_dendrite_federation_enabled)|to_json }} # Configuration for Kafka/Naffka. kafka: diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index b41f6c2c..48067c0e 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -44,7 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {{ arg }} \ {% endfor %} {{ matrix_dendrite_docker_image }} \ - --config /data/dendrite.yaml + -config /data/dendrite.yaml \ + -http-bind-address {{ matrix_dendrite_container_http_bind_address }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 74f53e67..749d9391 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -111,14 +111,28 @@ matrix_nginx_proxy_access_log_enabled: true matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" -# Controls whether proxying the Synapse domain should be done. +# Controls whether proxying for Synapse should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" - +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# Controls whether proxying for Dendrite should be done. +matrix_nginx_proxy_proxy_dendrite_enabled: false +matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# The addresses where the Matrix Client API is, when using Dendrite. +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf). +matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: [] # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false @@ -200,10 +214,6 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" -# The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" - # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 @@ -268,9 +278,6 @@ matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). -matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] - # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 5ddbb19d..e5021468 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -67,6 +67,19 @@ state: absent when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_dendrite_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for Element domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 new file mode 100644 index 00000000..9776085e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -0,0 +1,67 @@ +#jinja2: lstrip_blocks: "True" + +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% for configuration_block in matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# Everything else just goes to the API server ##} + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} +server { + listen 12088; + + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} From 3b9d5b13e96dd94ee014d0a58bbeeef0b6deb952 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:26:31 +0200 Subject: [PATCH 32/71] Add support for not serving Dendrite federation APIs on the client port Seems like Dendrite encourages serving both the Client and Federation API at the same port. Coming from Synapse and how things are done there, we have separate ports. Using separate ports probably makes matrix-corporal (etc.) integration easier, so separating the APIs by default probably makes sense. --- roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ .../templates/nginx/conf.d/matrix-dendrite.conf.j2 | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 749d9391..1feea6b7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_dendrite_enabled: false matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. +# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too. +matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true # The addresses where the Matrix Client API is, when using Dendrite. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 index 9776085e..939156a3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -14,6 +14,16 @@ server { {{- configuration_block }} {% endfor %} + {% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %} + location /_matrix/federation { + {% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} + return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}'; + {% else %} + return 404 'This Matrix server is running with federation disabled'; + {% endif %} + } + {% endif %} + {# Everything else just goes to the API server ##} location / { {% if matrix_nginx_proxy_enabled %} From 9f6e8f5eaf2fd19200fb6533f4e524f32dffc892 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:37:43 +0200 Subject: [PATCH 33/71] Remove matrix_s3 references from matrix-dendrite role All the `matrix_s3_*` stuff happens in the `matrix-synapse` role. If we are to have such S3 support for Dendrite, we should probably extract it out of the `matrix-synapse` role (into a `matrix-s3` role or `matrix-goofys`, etc.) and wire `matrix-dendrite` accordingly. This may or may not be done in the future though. For now, I'm cleaning things up in the `matrix-dendrite` role. --- roles/matrix-dendrite/tasks/init.yml | 4 ---- roles/matrix-dendrite/tasks/setup_dendrite.yml | 5 +---- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ------ 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 28709469..2e2e551a 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -1,7 +1,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" when: matrix_dendrite_enabled|bool - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 9fa8f566..04c3a7fe 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -9,9 +9,6 @@ with_items: - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } - { path: "{{ matrix_dendrite_ext_path }}", when: true } - # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), - # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. - when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + when: "matrix_dendrite_enabled|bool and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 48067c0e..647d0756 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -15,12 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite -{% if matrix_s3_media_store_enabled %} -# Allow for some time before starting, so that media store can mount. -# Mounting can happen later too, but if we start writing, -# we'd write files to the local filesystem and fusermount will complain. -ExecStartPre={{ matrix_host_command_sleep }} 3 -{% endif %} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ From b297e8ee2b92761dd6fd35c7a8a10134bf2d2c6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:56:32 +0200 Subject: [PATCH 34/71] Delay Dendrite startup so that matrix-postgres.service can start --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 647d0756..a67a3c20 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -16,6 +16,12 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its matrix-postgres dependency. +# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). +ExecStartPre={{ matrix_host_command_sleep }} 5 +{% endif %} + ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From f8a8d7d31033854188fdb27e055b7cb9dcd6e2f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:28:27 +0200 Subject: [PATCH 35/71] Fix /usr/local/bin/matrix-dendrite-create-account We also need to fix `--tags=register-user`. This tag is currently defined in both the `matrix-synapse` and `matrix-dendrite` roles. --- .../dendrite/usr-local-bin/matrix-dendrite-create-account.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index d9572ac7..5332b964 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" From 2bd33e5cf2d8000e2aed991c63decdad7bcb4a89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:40:34 +0200 Subject: [PATCH 36/71] Make --tags=register-user work for both Dendrite/Synapse Also get rid of `--tags=update-user-password` in the `matrix-dendrite` role, as what we had doesn't work. We may be able to do it with some Ansible helper or something else. For now, we'll omit this feature. --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-dendrite/tasks/main.yml | 7 +--- .../tasks/update_user_password.yml | 41 ------------------- roles/matrix-synapse/tasks/main.yml | 4 +- 4 files changed, 4 insertions(+), 49 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9fc14e8a..2356c19d 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -228,6 +228,7 @@ run_synapse_register_user: true run_synapse_update_user_password: true run_synapse_import_media_store: true run_synapse_rust_synapse_compress_state: true +run_dendrite_register_user: true run_setup: true run_self_check: true run_start: true diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index e44134a5..815135d7 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -15,7 +15,7 @@ - setup-dendrite - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_dendrite_register_user|bool + when: run_dendrite_register_user|bool and matrix_dendrite_enabled|bool tags: - register-user @@ -33,11 +33,6 @@ tags: - self-check -- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_dendrite_update_user_password|bool - tags: - - update-user-password - - name: Mark matrix-dendrite role as executed set_fact: matrix_dendrite_role_executed: true diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml deleted file mode 100644 index 5fbd23c2..00000000 --- a/roles/matrix-dendrite/tasks/update_user_password.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Fail if playbook called incorrectly - fail: - msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" - when: "username is not defined or username == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" - when: "password is not defined or password == ''" - -- name: Fail if not using matrix-postgres container - fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled|bool" - -- name: Ensure matrix-dendrite is started - service: - name: matrix-dendrite - state: started - daemon_reload: yes - register: start_result - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: postgres_start_result - -- name: Wait a while, so that Matrix Dendrite can manage to start - pause: - seconds: 7 - when: "start_result.changed or postgres_start_result.changed" - -- name: Generate password hash - shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" - register: password_hash - -- name: Update user password hash - command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 8bf1c563..17eef9cc 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -20,7 +20,7 @@ - import-synapse-media-store - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user|bool + when: run_synapse_register_user|bool and matrix_synapse_enabled|bool tags: - register-user @@ -39,7 +39,7 @@ - self-check - import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password|bool + when: run_synapse_update_user_password|bool and matrix_synapse_enabled|bool tags: - update-user-password From 38ec546b8b0f0d5d4d2c4104b9c32af9f14e650a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 14:48:59 +0200 Subject: [PATCH 37/71] Only trust own identity server in Dendrite config, if ma1sd enabled --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 587ef243..788aeca4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2239,6 +2239,8 @@ matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) From 32bbcf5ed6aae6da40ccee86e56ebf236707986c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:14:30 +0200 Subject: [PATCH 38/71] Fix incorrect definition --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 788aeca4..70cedf32 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1410,7 +1410,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" From 4139290cc9834c6ecba5b2371199b7874acf617d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:23:41 +0200 Subject: [PATCH 39/71] Rename some variables for consistency --- group_vars/matrix_servers | 16 ++++---- roles/matrix-dendrite/defaults/main.yml | 41 ++++++++++++------- .../systemd/matrix-dendrite.service.j2 | 16 +++++--- 3 files changed, 45 insertions(+), 28 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 70cedf32..9c011b4e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1415,10 +1415,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-syn matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2209,11 +2209,11 @@ matrix_postgres_backup_databases: | # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. # -# For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# For exposing Dendrite's plain HTTP server to the local host. +matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port|string) }}" # -# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. -matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" +# For exposing Dendrite's HTTPS server to the local host. +matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 11952ce7..8cd4c168 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,31 +14,42 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" -matrix_dendrite_container_http_bind_port: 8008 +# By default, we make Dendrite only serve HTTP (not HTTPS). +# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). +# +# To enable HTTPS serving by Dendrite (directly): +# - `matrix_dendrite_https_bind_port` must be set +# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments` +# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes` +matrix_dendrite_http_bind_port: 8008 +matrix_dendrite_https_bind_port: ~ -# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container -matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port|string) if matrix_dendrite_http_bind_port else '' }}" -# Dendrite monolith exposes both the Client API and the Federation API on the same port -matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" -matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-https-bind-address` flag to the Dendrite server in the container +matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port|string) if matrix_dendrite_https_bind_port else '' }}" -# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. -matrix_dendrite_container_client_api_host_bind_port: "" +matrix_dendrite_container_http_host_bind_address: "" -# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). -# -# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) -# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). +# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container). # -# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. -matrix_dendrite_container_federation_api_tls_host_bind_port: "" +# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. +matrix_dendrite_container_https_host_bind_address: "" -# A list of extra arguments to pass to the container +# A list of extra arguments to pass to the container (`docker run` command) matrix_dendrite_container_extra_arguments: [] +# A list of extra arguments to pass to the container process (`dendrite-monolith` command) +# Example: +# matrix_dendrite_process_extra_arguments: +# - "-tls-cert /some/path.crt" +# - "-tls-key /some/path.pem" +matrix_dendrite_process_extra_arguments: [] + # List of systemd services that matrix-dendrite.service depends on matrix_dendrite_systemd_required_services_list: ["docker.service"] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index a67a3c20..4c357fd1 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -29,11 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ - {% if matrix_dendrite_container_client_api_host_bind_port %} - -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} + -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} - {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} - -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %} + -p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ @@ -45,7 +45,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endfor %} {{ matrix_dendrite_docker_image }} \ -config /data/dendrite.yaml \ - -http-bind-address {{ matrix_dendrite_container_http_bind_address }} + {% if matrix_dendrite_http_bind_address %} + -http-bind-address {{ matrix_dendrite_http_bind_address }} + {% endif %} + {% if matrix_dendrite_https_bind_address %} + -https-bind-address {{ matrix_dendrite_https_bind_address }} + {% endif %} + {{ matrix_dendrite_process_extra_arguments|join(' ') }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite From 1dfe21944fc83c8f2c2afe25756b2e9d475c714d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 16:28:34 +0200 Subject: [PATCH 40/71] Make matrix_homeserver_implementation influence matrix_IMPLEMENTATION_enabled, not the other way around Doing this seems more reasonable and simpler. --- examples/vars.yml | 4 ++++ group_vars/matrix_servers | 15 ++++----------- roles/matrix-base/defaults/main.yml | 12 +++++++----- roles/matrix-base/tasks/sanity_check.yml | 12 +++--------- roles/matrix-dendrite/defaults/main.yml | 2 +- 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index f6c86be9..9623ad39 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -10,6 +10,10 @@ # Example value: example.com matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE +# The Matrix homeserver software to install. +# See `roles/matrix-base/defaults/main.yml` for valid options. +matrix_homeserver_implementation: synapse + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9c011b4e..3c2161dc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,17 +17,6 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### -matrix_homeserver_enabled_implementations_list: | - {{ - ( - (['synapse'] if matrix_synapse_enabled else []) - + - (['dendrite'] if matrix_dendrite_enabled else []) - ) - }} - -matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" - matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. @@ -1906,6 +1895,8 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_re # ###################################################################### +matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. @@ -2205,6 +2196,8 @@ matrix_postgres_backup_databases: | # ###################################################################### +matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 2356c19d..c71061f8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -8,11 +8,13 @@ matrix_domain: ~ # This will contain the homeserver implementation that is in use. -# Example values: 'synapse', 'dendrite', etc. -# You normally don't need to set this variable manually. -# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables -# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) -matrix_homeserver_implementation: '' +# Valid values: synapse, dendrite +# +# By default, we use Synapse, because it's the only full-featured Matrix server at the moment. +# +# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.). +# The homeserver implementation of an existing server cannot be changed without data loss. +matrix_homeserver_implementation: synapse # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 1e525b80..b9c8348f 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,15 +1,9 @@ --- -- name: Fail if 0 or more than 1 homeserver implementations enabled +- name: Fail if invalid homeserver implementation fail: - msg: >- - You have 0 or more than 1 homeserver implementations enabled - ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). - - If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. - - If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). - when: "matrix_homeserver_enabled_implementations_list|length != 1" + msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite']" # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 8cd4c168..ed15711e 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -1,7 +1,7 @@ # Dendrite is a second-generation Matrix homeserver currently in Beta # See: https://github.com/matrix-org/dendrite -matrix_dendrite_enabled: false +matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" From 965890bf757ab0d9c6c5223f166f7e49a5ac80c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:00:42 +0200 Subject: [PATCH 41/71] Derive secrets from matrix_homeserver_generic_secret_key, not matrix_synapse_macaroon_secret_key We're trying to move away from implementation-specific variables, hoping for a clean (implementation-neutral) examples/vars.yml file. --- examples/vars.yml | 8 +- group_vars/matrix_servers | 158 +++++++++--------- roles/matrix-base/defaults/main.yml | 3 + roles/matrix-base/tasks/sanity_check.yml | 21 ++- roles/matrix-dendrite/defaults/main.yml | 2 - .../matrix-dendrite/tasks/validate_config.yml | 1 - 6 files changed, 103 insertions(+), 90 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 9623ad39..0f6c1a55 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -14,6 +14,10 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # See `roles/matrix-base/defaults/main.yml` for valid options. matrix_homeserver_implementation: synapse +# A secret used as a base, for generating various other secrets. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_homeserver_generic_secret_key: '' + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -28,10 +32,6 @@ matrix_ssl_lets_encrypt_support_email: '' # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: '' -# A secret used to protect access keys issued by the server. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3c2161dc..a39b4665 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != ' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -242,15 +242,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -280,9 +280,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -291,7 +291,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -322,9 +322,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -332,7 +332,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -363,9 +363,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -373,7 +373,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -404,9 +404,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -415,7 +415,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -450,14 +450,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -493,11 +493,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -505,7 +505,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -535,16 +535,16 @@ matrix_mautrix_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" +matrix_mautrix_twitter_appservice_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" -matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" +matrix_mautrix_twitter_homeserver_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" +matrix_mautrix_twitter_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" ###################################################################### # @@ -574,15 +574,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -608,10 +608,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -628,9 +628,9 @@ matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_se # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -667,15 +667,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -706,15 +706,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -744,9 +744,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -754,7 +754,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -785,15 +785,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -823,15 +823,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -861,15 +861,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -899,15 +899,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -937,7 +937,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1142,7 +1142,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1167,7 +1167,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1226,9 +1226,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1331,7 +1331,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1926,7 +1926,9 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" + +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -2077,7 +2079,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -2153,7 +2155,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # @@ -2208,9 +2210,9 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c71061f8..dc273afd 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -16,6 +16,9 @@ matrix_domain: ~ # The homeserver implementation of an existing server cannot be changed without data loss. matrix_homeserver_implementation: synapse +# This contains a secret, which is used for generating various other secrets later on. +matrix_homeserver_generic_secret_key: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index b9c8348f..298a994c 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -33,14 +33,25 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} +# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. +- name: Fail if matrix_homeserver_generic_secret_key is undefined + fail: + msg: | + The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. + + If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` + to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" + - name: Fail if required variables are undefined fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" + msg: "The `{{ item.var }}` variable must be defined and have a non-null and non-empty value" with_items: - - matrix_domain - - matrix_server_fqn_matrix - - matrix_server_fqn_element - when: "item not in vars or vars[item] is none" + - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} + - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} + - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used fail: diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ed15711e..840ef9ec 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -63,8 +63,6 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -# A secret used to derive various other secrets -matrix_dendrite_generic_secret_key: '' matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 9e7db426..2d2cf4c5 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,6 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_generic_secret_key" - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings From bbbfc0708f662927158df508ba7b10f0b26ad6f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:39:56 +0200 Subject: [PATCH 42/71] Derive matrix_coturn_turn_static_auth_secret from matrix_homeserver_generic_secret_key Doing this further simplifies examples/vars.yml. --- examples/vars.yml | 4 ---- group_vars/matrix_servers | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 0f6c1a55..f5776962 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -28,10 +28,6 @@ matrix_homeserver_generic_secret_key: '' # Example value: someone@example.com matrix_ssl_lets_encrypt_support_email: '' -# A shared secret (between Coturn and Synapse) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a39b4665..4441ca05 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1087,6 +1087,8 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" + matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" From 38ad152c03c39ac1adc7126d86c8280ec8886015 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:48:34 +0200 Subject: [PATCH 43/71] Add Dendrite-awareness to matrix_homeserver_container_url when matrix-nginx-proxy disabled --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4441ca05..27f997e8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -21,7 +21,13 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matri # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. # This is because we explicitly disable them for the main Synapse process. -matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}" +matrix_homeserver_container_url: |- + {{ + 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} ###################################################################### # From 593fc2fa852429211ae364fff58d75f2d7d41400 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:01:48 +0200 Subject: [PATCH 44/71] Replace matrix-synapse.service references with more homeserver-neutral references --- group_vars/matrix_servers | 63 +++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 27f997e8..1ae75535 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -78,7 +78,7 @@ matrix_appservice_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -128,7 +128,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -167,7 +167,7 @@ matrix_appservice_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -206,7 +206,7 @@ matrix_appservice_irc_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -241,7 +241,7 @@ matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -279,7 +279,7 @@ matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -321,7 +321,7 @@ matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -362,7 +362,7 @@ matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -403,7 +403,7 @@ matrix_mautrix_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -443,7 +443,7 @@ matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -492,7 +492,7 @@ matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -534,7 +534,7 @@ matrix_mautrix_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -573,7 +573,7 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -609,7 +609,7 @@ matrix_sms_bridge_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -640,7 +640,7 @@ matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generi matrix_heisenbridge_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -666,7 +666,7 @@ matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -705,7 +705,7 @@ matrix_mx_puppet_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -743,7 +743,7 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -784,7 +784,7 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -822,7 +822,7 @@ matrix_mx_puppet_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -860,7 +860,7 @@ matrix_mx_puppet_steam_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -898,7 +898,7 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -934,9 +934,9 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -997,7 +997,7 @@ matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1026,7 +1026,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1060,10 +1060,9 @@ matrix_corporal_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-synapse.service']) + (['matrix-' + matrix_homeserver_implementation + '.service']) }} -# This goes to Synapse's vhost matrix_corporal_matrix_homeserver_api_endpoint: "{{ matrix_homeserver_container_url }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -1141,9 +1140,9 @@ matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1330,7 +1329,7 @@ matrix_ma1sd_systemd_required_services_list: | matrix_ma1sd_systemd_wanted_services_list: | {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1454,7 +1453,7 @@ matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_worker matrix_nginx_proxy_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + From de49cc5271a907dba11985853a9402f7ccb79ac1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:04:26 +0200 Subject: [PATCH 45/71] Fix matrix_registration_shared_secret for Dendrite --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1ae75535..305d8044 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2145,7 +2145,13 @@ matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" -matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}" +matrix_registration_shared_secret: |- + {{ + { + 'synapse': matrix_synapse_registration_shared_secret, + 'dendrite': matrix_dendrite_registration_shared_secret, + }[matrix_homeserver_implementation] + }} matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" From 05b4572fab77c1da79f21a7aab51c00d97e011e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:13:44 +0200 Subject: [PATCH 46/71] Fix matrix_dimension_homeserver_federationUrl for Dendrite --- group_vars/matrix_servers | 10 +++++++++- roles/matrix-base/defaults/main.yml | 9 +++++++-- roles/matrix-base/tasks/validate_config.yml | 3 ++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 305d8044..864f7702 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -29,6 +29,14 @@ matrix_homeserver_container_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_federation_url: |- + {{ + 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} + ###################################################################### # # /matrix-base @@ -1131,7 +1139,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index dc273afd..be403de7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -103,11 +103,16 @@ matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" -# Specifies where the homeserver is on the container network. -# Where this is depends on whether there's a reverse-proxy in front of it, etc. +# Specifies where the homeserver's Client-Server API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. # This likely gets overriden elsewhere. matrix_homeserver_container_url: "" +# Specifies where the homeserver's Federation API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. +# This likely gets overriden elsewhere. +matrix_homeserver_container_federation_url: "" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 8bb3fca0..84ef2f06 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -6,4 +6,5 @@ You need to define a required configuration setting (`{{ item }}`) for using this playbook. when: "vars[item] == ''" with_items: - - "matrix_homeserver_container_url" \ No newline at end of file + - "matrix_homeserver_container_url" + - "matrix_homeserver_container_federation_url" From 5c3c0d0d588bce8669240c41ff123a45502bad8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:47:50 +0200 Subject: [PATCH 47/71] Set Dendrite's real_ip_header correctly --- group_vars/matrix_servers | 2 ++ roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 1 + 3 files changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864f7702..57319eba 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2231,6 +2231,8 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" +matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" + matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 840ef9ec..23789540 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -68,6 +68,10 @@ matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 +# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. +# This is likely required if Dendrite is running behind a reverse proxy server. +matrix_dendrite_sync_api_real_ip_header: '' + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index c512904e..102dd2f5 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -339,6 +339,7 @@ sync_api: # address of the client. This is likely required if Dendrite is running behind # a reverse proxy server. # real_ip_header: X-Real-IP + real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }} # Configuration for the User API. user_api: From 61c0930325a6f064483bfebb2b05f6f47eb29b50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:31:37 +0200 Subject: [PATCH 48/71] Suppress output for ExecStartPre/ExecStop commands This brings matrix-dendrite.service in line with all the other services. --- .../dendrite/systemd/matrix-dendrite.service.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4c357fd1..e14734dd 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' {% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} # Dendrite is too quick to start in relation to its matrix-postgres dependency. @@ -53,9 +53,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite -ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 SyslogIdentifier=matrix-dendrite From 90c9801c560b66dcbc3e3dda91ce45d3a874022e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:32:06 +0200 Subject: [PATCH 49/71] Use ExecStopPost instead of ExecStop This is the equivalent of b1b4ba501fdfaa43 for the matrix-dendrite role. --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index e14734dd..7592fca8 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -53,8 +53,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 139c574cdbbbed4e2642500eb2ec618a5c0a63ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 12:40:56 +0200 Subject: [PATCH 50/71] Move checks from unused validate_config.yml file elsewhere --- roles/matrix-base/tasks/sanity_check.yml | 8 ++++++-- roles/matrix-base/tasks/validate_config.yml | 10 ---------- 2 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 298a994c..f78510d7 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -39,9 +39,11 @@ msg: | The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. - If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + + If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` - to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + to your `vars.yml` file. Using another secret value for the new variable is also possible and shouldn't cause any trouble. when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" - name: Fail if required variables are undefined @@ -51,6 +53,8 @@ - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url|default('') }}"} + - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url|default('') }}"} when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml deleted file mode 100644 index 84ef2f06..00000000 --- a/roles/matrix-base/tasks/validate_config.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Fail if required Matrix Base settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using this playbook. - when: "vars[item] == ''" - with_items: - - "matrix_homeserver_container_url" - - "matrix_homeserver_container_federation_url" From 0f59c4056ed027c6f497c7bbf5525aaf6ae1d614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 13:32:43 +0200 Subject: [PATCH 51/71] Set up well-known when invoked with the setup-dendrite tag --- roles/matrix-base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 4af3564c..f9db37b3 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -31,4 +31,5 @@ - setup-all - setup-ma1sd - setup-synapse + - setup-dendrite - setup-nginx-proxy From 134c617f34a9b436bc8d6981d84b120c38650b13 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:13:13 +0200 Subject: [PATCH 52/71] Update README --- README.md | 2 ++ docs/container-images.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 63875c5e..af02a3b0 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network +- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. + - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. diff --git a/docs/container-images.md b/docs/container-images.md index 9be48736..cf680d21 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -30,6 +30,8 @@ These services are enabled and used by default, but you can turn them off, if yo These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): +- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional) + - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) - the [Etherpad](https://etherpad.org) realtime collaborative text editor that can be used in a Jitsi audio/video call or integrated as a widget into Matrix chat rooms via the Dimension integration manager (optional) From 5e2f4564bbfc4572832068f564a858f14a1406a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:58:36 +0200 Subject: [PATCH 53/71] Announce Dendrite support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- CHANGELOG.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f6dcc35..5fd3d30f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,40 @@ # 2022-01-07 +## Dendrite support + +**Existing (Synapse) installations need to be updated**, see below. + +[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. + +We believe that 2022 will be the year of the non-Synapse Matrix server! + +The playbook was previously quite [Synapse](https://github.com/matrix-org/synapse)-centric, but can now accommodate multiple homeserver implementations. Only one homeserver implementation can be active (installed) at a given time. + +**Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). + +Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. + +The `vars.yml` file for **existing installations will need to be updated**: + +```yaml +# All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. +# To keep them all the same, define `matrix_homeserver_generic_secret_key` in terms of `matrix_synapse_macaroon_secret_key`. +# Using a new secret value for this configuration key is also possible and should not cause any problems. +# +# Fun fact: new installations (based on the new `examples/vars.yml` file) do this in reverse. +# That is, the Synapse macaroon secret is derived from `matrix_homeserver_generic_secret_key`. +matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" +``` + +Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + +We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! + + ## Honoroit bot support Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. From 6cedeb094ce4a90cd1ddcf8ba3ca43ec82759d6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:23:32 +0200 Subject: [PATCH 54/71] Mention inability to migrate between homeserver implementation --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fd3d30f..570d992e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,8 @@ Finally, **to try out Dendrite**, we recommend that you **use a new server** and matrix_homeserver_implementation: dendrite ``` +**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse to Dendrite) without data loss. + We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! From 425a56c94eda90a18f1ad31bda11e69011fb6b51 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:27:15 +0200 Subject: [PATCH 55/71] Link to Dendrite repository from changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570d992e..3fc0e741 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **Existing (Synapse) installations need to be updated**, see below. -[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. +[Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. We believe that 2022 will be the year of the non-Synapse Matrix server! From 19b5a50805c20ef01fc605505f19a7abea1f195a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:08:55 +0200 Subject: [PATCH 56/71] Derive Honoroit database password from matrix_homeserver_generic_secret_key Related to the work done in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 57319eba..0696b148 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -982,7 +982,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### From 7b093c5ae00bb6ce6e60867a839e5494422f4ba2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:11:22 +0200 Subject: [PATCH 57/71] Move some variables to a more appropriate location --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0696b148..3be4e6ac 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -37,6 +37,9 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" +matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" + ###################################################################### # # /matrix-base @@ -1141,9 +1144,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" -matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" -matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" - matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] From 53dbf2738cc9dcc3cf9f65c4281799a5523f29e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:44:58 +0200 Subject: [PATCH 58/71] Try to improve Dendrite announcement message This is an attempt to address this: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/dc893485d1a3893dfebd2f55c5a45ddb14e1dd74#commitcomment-63097721 --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fc0e741..3b5f1fe0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Dendrite support -**Existing (Synapse) installations need to be updated**, see below. +**TLDR**: We now have optional experimental [Dendrite](https://github.com/matrix-org/dendrite) homeserver support for new installations. **Existing (Synapse) installations need to be updated**, because some internals changed. See [Adapting the configuration for existing Synapse installations](#adapting-the-configuration-for-existing-synapse-installations). [Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. @@ -12,6 +12,8 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps **Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). +### Adapting the configuration for existing Synapse installations + Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. The `vars.yml` file for **existing installations will need to be updated**: @@ -26,6 +28,8 @@ The `vars.yml` file for **existing installations will need to be updated**: matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" ``` +### Trying out Dendrite + Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: ```yaml From 548d495d81d7197df25490424976c1571c7acc5d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:46:24 +0200 Subject: [PATCH 59/71] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b5f1fe0..e9f23468 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. -The `vars.yml` file for **existing installations will need to be updated**: +The `vars.yml` file for **existing installations will need to be updated** by adding this **additional configuration**: ```yaml # All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. From 4e4fb98a65474fd058c61a838db6ac312a09e7df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 14:14:46 +0200 Subject: [PATCH 60/71] Do not install fuse unless necessary Discussed here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1510 --- .../tasks/server_base/setup_archlinux.yml | 2 -- .../tasks/server_base/setup_centos.yml | 1 - .../tasks/server_base/setup_centos8.yml | 3 +-- .../tasks/server_base/setup_debian.yml | 1 - .../tasks/server_base/setup_raspbian.yml | 1 - .../tasks/util/ensure_fuse_installed.yml | 23 +++++++++++++++++++ .../tasks/goofys/setup_install.yml | 2 ++ 7 files changed, 26 insertions(+), 7 deletions(-) create mode 100644 roles/matrix-base/tasks/util/ensure_fuse_installed.yml diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index d08cafc0..6c5cdff8 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,8 +4,6 @@ pacman: name: - python-docker - # TODO This needs to be verified. Which version do we need? - - fuse3 - python-dnspython state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 07776d7f..cbf7fbc6 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml index 01666197..e6127f47 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos8.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -28,7 +28,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes @@ -44,4 +43,4 @@ pip: name: docker-py state: latest - when: matrix_docker_installation_enabled|bool \ No newline at end of file + when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 37706d1f..1cd7ac41 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 421905a0..4aed3c76 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/util/ensure_fuse_installed.yml b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml new file mode 100644 index 00000000..948c6082 --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure fuse installed (CentOS) + yum: + name: + - fuse + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure fuse installed (Debian/Raspbian) + apt: + name: + - fuse + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure fuse installed (Archlinux) + pacman: + name: + - fuse3 + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index b5e95614..147efabf 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,3 +1,5 @@ +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_fuse_installed.yml" + - name: Ensure Goofys Docker image is pulled docker_image: name: "{{ matrix_s3_goofys_docker_image }}" From 817d6833bfc0c5b6d618840d3120098cadbe7855 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 20:06:59 +0200 Subject: [PATCH 61/71] Try to fix self-building for honoroit (fix incorrect Dockerfile path) Hopefully fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1518 --- roles/matrix-bot-honoroit/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 76eeb006..0d2d325b 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -68,7 +68,7 @@ force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: - dockerfile: docker/Dockerfile + dockerfile: Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes when: "matrix_bot_honoroit_container_image_self_build|bool" From 27a4871aea5c5d87c165b93a02b19c3a59db3c8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 9 Jan 2022 12:14:23 +0200 Subject: [PATCH 62/71] Fix variable name typo --- .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index d4aab6e4..e820b0ed 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -21,7 +21,7 @@ - name: Wait some time, so that the required service for obtaining can start wait_for: - timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}" when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" From b50494e5b3016091a2df3fa566019fbe5575181f Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 5 Jan 2022 21:12:22 +0100 Subject: [PATCH 63/71] pin appservice-webhooks version v1.0.2-01 --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 22f68040..32b0cbba 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/ matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: latest +matrix_appservice_webhooks_version: v1.0.2-01 matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From 4377c348c56f4ee070265f5d4ace3c6ff0a9b471 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 17:46:47 +0200 Subject: [PATCH 64/71] matrix-bot-honoroit: disable self-build by default, update to v0.9.1 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3be4e6ac..cfd2e74b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: false ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 4e3628f9..0b868a94 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_version: v0.9.1 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From a83b880f72b290a5640e77b80852803d1120531d Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 18:49:41 +0200 Subject: [PATCH 65/71] matrix-bot-honoroit: feedback --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cfd2e74b..32b0d3a8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: false +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" ###################################################################### # From e72ecf2c650d12233734b84d2fffb671e0e30ec5 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Sun, 9 Jan 2022 10:50:44 +0800 Subject: [PATCH 66/71] update new variable for matrix-awx, update documentation --- docs/configuring-awx-system.md | 14 ++++------- roles/matrix-awx/tasks/main.yml | 4 ++-- roles/matrix-awx/tasks/rename_variables.yml | 8 ------- roles/matrix-awx/tasks/update_variables.yml | 26 +++++++++++++++++++++ 4 files changed, 32 insertions(+), 20 deletions(-) delete mode 100644 roles/matrix-awx/tasks/rename_variables.yml create mode 100644 roles/matrix-awx/tasks/update_variables.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f455f058..c33664c2 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -4,7 +4,7 @@ An AWX setup for managing multiple Matrix servers. This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. -Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. These playbooks are free to use in a commercial context with the 'MemberPress Plus' plugin. They can also be run in a non-commercial context. The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. @@ -21,12 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. - -## Testing Fork For This Playbook - -Updates to this section are trailed here: - -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) +[GMHosting External Tools](https://gitlab.com/GoMatrixHosting/gmhosting-external-tools) - Extra tools we run outside of AWX, some of which are experimental. ## Does I need an AWX setup to use this? How do I configure it? @@ -38,7 +33,6 @@ For simpler installation steps you can use to get started with this system, chec ## Does I need a front-end WordPress site? And a DigitalOcean account? -You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. - -You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. +You do not need a front-end WordPress site or the MemberPress plugin to use this setup. It can be run on it's own in a non-commercial context. +You also don't need a DigitalOcean account, although this will limit you to only being able to connect 'On-Premises' servers. diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index adc158c7..6ac39a49 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,9 +8,9 @@ tags: - always -# Renames the variables if needed +# Renames or updates the vars.yml if needed - include_tasks: - file: "rename_variables.yml" + file: "update_variables.yml" apply: tags: always when: run_setup|bool and matrix_awx_enabled|bool diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml deleted file mode 100644 index e664325f..00000000 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Rename synapse presence variable - delegate_to: 127.0.0.1 - replace: - path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" - regexp: 'matrix_synapse_use_presence' - replace: 'matrix_synapse_presence_enabled' diff --git a/roles/matrix-awx/tasks/update_variables.yml b/roles/matrix-awx/tasks/update_variables.yml new file mode 100644 index 00000000..9818a9c2 --- /dev/null +++ b/roles/matrix-awx/tasks/update_variables.yml @@ -0,0 +1,26 @@ +--- + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + +- name: Generate matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + command: | + openssl rand -hex 16 + register: generic_secret + no_log: True + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) + +- name: Add new matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_homeserver_generic_secret_key: {{ generic_secret.stdout }}" + insertbefore: '# Basic Settings End' + mode: '0600' + state: present + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) From ac6049516632a15dbff43c14c4e831d3c03ae6c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 08:40:18 +0200 Subject: [PATCH 67/71] Get rid of broken CI (ansible-lint) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1488 Discussed here: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1522#issuecomment-1008381512 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1524#issuecomment-1008477510 --- .github/workflows/ansible-lint.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 2f103ff7..00000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Ansible Lint - -on: [push, pull_request] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc - with: - # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) - targets: "./" - - override-deps: | - ansible-lint==5.3.1 - - args: "-x metadata, formatting" From 29bc22a085b5117442dcafc267fcc270e6ed6edd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 11:51:57 +0200 Subject: [PATCH 68/71] Add matrix_nginx_proxy_container_additional_networks Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 --- roles/matrix-nginx-proxy/defaults/main.yml | 9 +++++++++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 1feea6b7..8c57928f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -19,6 +19,15 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-nginx-proxy would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_nginx_proxy_container_additional_networks: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 744b3924..03bc32af 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,6 +47,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} +{% for network in matrix_nginx_proxy_container_additional_networks %} +ExecStartPost={{ matrix_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ matrix_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +{% endfor %} + ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload From ac515b7f0953fbe03ca72323289a8eb0076a7695 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 15:11:14 +0200 Subject: [PATCH 69/71] Fix incorrect variables being used --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index bc6331ac..1a9b2915 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -30,7 +30,7 @@ name: "{{ matrix_mautrix_signal_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" @@ -60,7 +60,7 @@ name: "{{ matrix_mautrix_signal_daemon_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" From ad00875a6db1a0af1862fe5b1c413e28b708664c Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Mon, 10 Jan 2022 16:21:39 +0100 Subject: [PATCH 70/71] Update configuring-playbook-dimension.md --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 69ed7aa7..b938a6a3 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -58,7 +58,7 @@ curl -X POST --header 'Content-Type: application/json' -d '{ "type": "m.login.password" }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -*Change the "YourDimensionUser/Pass" URL accordigly* +*Change `YourDimensionUsername`, `YourDimensionPassword`, and `YOURDOMAIN` accordingly.* **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** From 0fb881deb578a37ba9c3fcfc966a2282aa33d3fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Jan 2022 08:29:11 +0200 Subject: [PATCH 71/71] Update the "wanted systemd services" list for matrix-nginx-proxy/matrix-grafana Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1517 --- group_vars/matrix_servers | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 32b0d3a8..af84d5d9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1467,7 +1467,21 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + + (['matrix-client-element.service'] if matrix_client_element_enabled else []) + + + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + + + (['matrix-grafana.service'] if matrix_grafana_enabled else []) + + + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + + + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | @@ -2129,6 +2143,12 @@ matrix_grafana_dashboard_download_urls_all: | (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) }} +matrix_grafana_systemd_wanted_services_list: | + {{ + [] + + + (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + }} ###################################################################### #