diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml new file mode 100644 index 00000000..32b1b977 --- /dev/null +++ b/.github/workflows/ansible-lint.yml @@ -0,0 +1,22 @@ +name: Ansible Lint + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc + with: + # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) + targets: "./" + + override-deps: | + ansible-lint==5.3.1 + + args: "-x metadata, formatting" diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index c6d2841b..6370cb01 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -27,6 +27,10 @@ matrix.DOMAIN.tld { not path /matrix/static-files/* } + @wellknown { + path /.well-known/matrix/* + } + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -69,6 +73,15 @@ matrix.DOMAIN.tld { } } + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + handle { encode zstd gzip @@ -102,17 +115,17 @@ element.DOMAIN.tld { # tls your@email.com header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } handle { encode zstd gzip diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml index fb9f56ae..1b61797e 100755 --- a/roles/matrix-awx/defaults/main.yml +++ b/roles/matrix-awx/defaults/main.yml @@ -1 +1,6 @@ matrix_awx_enabled: true + +# Defaults for 'Customise Website + Access Export' template +awx_sftp_auth_method: 'Disabled' +awx_sftp_password: '' +awx_sftp_public_key: '' diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 1e16c4ad..f29061fb 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 59e0d89c..c836d16c 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,9 +21,9 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 510b9f9e..a7b0cb3a 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -50,12 +50,14 @@ - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_stat + async: 600 ignore_errors: yes no_log: True - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_stat + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 0db01c57..eee4e6f2 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of @_dimension user +- name: Collect access token of @admin-dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 28412a26..7853292a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.7 +matrix_client_element_version: v1.9.8 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 278855fb..9c472ca3 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,11 +1,11 @@ --- -- name: Create user account @_janitor +- name: Create user account @admin-janitor command: | - /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool - no_log: True + no_log: false - name: Update AWX janitor user created variable delegate_to: 127.0.0.1 @@ -18,12 +18,12 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @_dimension +- name: Create user account @admin-dimension command: | - /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 @@ -36,12 +36,12 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @_mjolnir +- name: Create user account @admin-mjolnir command: | - /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b845e9ee..4d7ccf6b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2-r4 +matrix_coturn_version: 4.5.2-r8 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 37202d6d..f802d2e5 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.1 +matrix_grafana_version: 8.3.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index b1002a7f..3f61f4ff 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -8,6 +8,7 @@ matrix_jitsi_enable_recording: false matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true +matrix_jitsi_enable_breakout_rooms: true # Authentication type, must be one of internal, jwt or ldap. # Currently only internal and ldap mechanisms are supported by this playbook. @@ -67,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6726 +matrix_jitsi_version: stable-6726-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -76,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" +matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 4fdcc67b..d734be08 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -15,6 +15,7 @@ - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-web Docker image is pulled diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 687df714..1f2cb68c 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -9,6 +9,7 @@ ENABLE_CODEC_H264 ENABLE_OCTO ENABLE_RECORDING ENABLE_SCTP +ENABLE_AUTO_LOGIN JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS @@ -26,6 +27,9 @@ JIGASI_SIP_URI JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} MAX_BRIDGE_PARTICIPANTS OCTO_BRIDGE_SELECTION_STRATEGY +SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 index 7eba95af..f69d7848 100644 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -1,4 +1,10 @@ +{% raw %} +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -10,6 +16,7 @@ net.sf.level=SEVERE net.java.sip.communicator.plugin.reconnectplugin.level=FINE org.ice4j.level=SEVERE org.jitsi.impl.neomedia.level=SEVERE +io.sentry.jul.SentryHandler.level=WARNING # Do not worry about missing strings net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 6edae6d4..41d343b3 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,9 +1,6 @@ +DOCKER_HOST_ADDRESS ENABLE_COLIBRI_WEBSOCKET ENABLE_OCTO -DOCKER_HOST_ADDRESS -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} @@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} -JVB_ENABLE_APIS -JVB_WS_DOMAIN -JVB_WS_SERVER_ID -PUBLIC_URL={{ matrix_jitsi_web_public_url }} JVB_OCTO_BIND_ADDRESS JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION +JVB_WS_DOMAIN +JVB_WS_SERVER_ID +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +SENTRY_DSN="${JVB_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE +COLIBRI_REST_ENABLED +SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 48c1e9fa..ff1d30a6 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,4 +1,10 @@ +{% raw %} +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -8,6 +14,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB .level=INFO org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE +io.sentry.jul.SentryHandler.level=WARNING # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 70feda6e..941f2c25 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,44 +1,24 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} +DISABLE_POLLS ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} ENABLE_XMPP_WEBSOCKET -GLOBAL_MODULES GLOBAL_CONFIG -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= -XMPP_INTERNAL_MUC_MODULES= -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_CROSS_DOMAIN=true +GLOBAL_MODULES +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JICOFO_COMPONENT_SECRET JIGASI_XMPP_USER= JIGASI_XMPP_PASSWORD= -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JWT_APP_ID JWT_APP_SECRET JWT_ACCEPTED_ISSUERS @@ -48,6 +28,19 @@ JWT_ALLOW_EMPTY JWT_AUTH_TYPE JWT_TOKEN_AUTH_MODULE LOG_LEVEL +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} TURN_HOST={{ matrix_jitsi_turn_host }} @@ -55,3 +48,13 @@ TURNS_HOST={{ matrix_jitsi_turns_host }} TURN_PORT={{ matrix_jitsi_turn_port }} TURNS_PORT={{ matrix_jitsi_turns_port }} TZ={{ matrix_jitsi_timezone }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} +XMPP_MUC_MODULES= +XMPP_INTERNAL_MUC_MODULES= +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +XMPP_CROSS_DOMAIN=true diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 2ff6befc..ac15c087 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,16 +1,3 @@ -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FLOC=0 -ENABLE_LETSENCRYPT=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_HSTS=0 -ENABLE_XMPP_WEBSOCKET -DISABLE_HTTPS=0 -DISABLE_DEEP_LINKING -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TZ={{ matrix_jitsi_timezone }} AMPLITUDE_ID ANALYTICS_SCRIPT_URLS ANALYTICS_WHITELISTED_EVENTS @@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE DEPLOYMENTINFO_REGION DEPLOYMENTINFO_SHARD DEPLOYMENTINFO_USERREGION +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX DIALIN_NUMBERS_URL DIALOUT_AUTH_URL DIALOUT_CODES_URL +DISABLE_AUDIO_LEVELS +DISABLE_DEEP_LINKING +DISABLE_HTTPS=0 +DISABLE_POLLS +DISABLE_REACTIONS DROPBOX_APPKEY DROPBOX_REDIRECT_URI DYNAMIC_BRANDING_URL ENABLE_AUDIO_PROCESSING ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_CALENDAR +ENABLE_COLIBRI_WEBSOCKET ENABLE_FILE_RECORDING_SERVICE ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_FLOC=0 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +ENABLE_HSTS=0 +ENABLE_HTTP_REDIRECT=0 ENABLE_IPV6 +ENABLE_LETSENCRYPT=0 ENABLE_LIPSYNC ENABLE_NO_AUDIO_DETECTION -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} +ENABLE_NOISY_MIC_DETECTION ENABLE_PREJOIN_PAGE +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} ENABLE_WELCOME_PAGE ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} @@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS ENABLE_TALK_WHILE_MUTED ENABLE_TCC ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ENABLE_XMPP_WEBSOCKET ETHERPAD_PUBLIC_URL ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} GOOGLE_ANALYTICS_ID GOOGLE_API_APP_CLIENT_ID INVITE_SERVICE_URL JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 MATOMO_ENDPOINT MATOMO_SITE_ID MICROSOFT_API_APP_CLIENT_ID @@ -68,29 +73,38 @@ NGINX_RESOLVER NGINX_WORKER_PROCESSES NGINX_WORKER_CONNECTIONS PEOPLE_SEARCH_URL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_WITH_AUDIO_MUTED -START_SILENT -DISABLE_AUDIO_LEVELS -ENABLE_NOISY_MIC_DETECTION +START_AUDIO_ONLY START_BITRATE -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX +START_SILENT +START_WITH_AUDIO_MUTED START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} START_WITH_VIDEO_MUTED TESTING_CAP_SCREENSHARE_BITRATE TESTING_OCTO_PROBABILITY +TOKEN_AUTH_URL +TZ={{ matrix_jitsi_timezone }} +VIDEOQUALITY_BITRATE_H264_LOW +VIDEOQUALITY_BITRATE_H264_STANDARD +VIDEOQUALITY_BITRATE_H264_HIGH +VIDEOQUALITY_BITRATE_VP8_LOW +VIDEOQUALITY_BITRATE_VP8_STANDARD +VIDEOQUALITY_BITRATE_VP8_HIGH +VIDEOQUALITY_BITRATE_VP9_LOW +VIDEOQUALITY_BITRATE_VP9_STANDARD +VIDEOQUALITY_BITRATE_VP9_HIGH +VIDEOQUALITY_ENFORCE_PREFERRED_CODEC +VIDEOQUALITY_PREFERRED_CODEC XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -TOKEN_AUTH_URL {{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 5d386361..35bfca67 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -23,6 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endif %} --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ + --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ {% for arg in matrix_jitsi_web_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a2a2a6b9..7eeb39ff 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -442,7 +442,14 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. +# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false + +# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server +matrix_ssl_lets_encrypt_server: '' + matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 4639f122..d4aab6e4 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -42,6 +42,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http @@ -70,6 +71,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 069b6279..6d20d20f 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.1 +matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e888ac92..d2d04841 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.48.0 -matrix_synapse_version_arm64: v1.48.0 +matrix_synapse_version: v1.49.0 +matrix_synapse_version_arm64: v1.49.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true # URLs shared by users. matrix_synapse_url_preview_enabled: true +# A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation +matrix_url_preview_accept_language: ['en-US', 'en'] + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml index 4a90bfa6..d0440d22 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml @@ -8,6 +8,7 @@ name: "{{ item.key }}" state: stopped with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" + when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 - name: Find worker configs to be cleaned find: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3e289b0c..e384853c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1149,8 +1149,7 @@ max_spider_size: 10M # - fr;q=0.8 # - *;q=0.7 # -url_preview_accept_language: -# - en +url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }} ## Captcha ## @@ -1227,6 +1226,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # #session_lifetime: 24h +# Time that an access token remains valid for, if the session is +# using refresh tokens. +# For more information about refresh tokens, please see the manual. +# Note that this only applies to clients which advertise support for +# refresh tokens. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is 5 minutes. +# +#refreshable_access_token_lifetime: 5m + +# Time that a refresh token remains valid for (provided that it is not +# exchanged for another one first). +# This option can be used to automatically log-out inactive sessions. +# Please see the manual for more information. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is infinite. +# +#refresh_token_lifetime: 24h + +# Time that an access token remains valid for, if the session is NOT +# using refresh tokens. +# Please note that not all clients support refresh tokens, so setting +# this to a short value may be inconvenient for some users who will +# then be logged out frequently. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to existing sessions for users that have already logged in. +# +# By default, this is infinite. +# +#nonrefreshable_access_token_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8..1a279ad6 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ - - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ + - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$